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Abstract 


In air traffic management, pairwise coordination is the ability to achieve separation 
requirements when conflicting aircraft simultaneously maneuver to solve a conflict. 
Resolution algorithms are implicitly coordinated if they provide coordinated reso- 
lution maneuvers to conflicting aircraft when only surveillance data, e.g., position 
and velocity vectors, is periodically broadcast by the aircraft. This paper proposes 
an abstract framework for reasoning about state-based implicit coordination. The 
framework consists of a formalized mathematical development that enables and 
simplifies the design and verification of implicitly coordinated state-based resolu- 
tion algorithms. The use of the framework is illustrated with several examples of 
algorithms and formal proofs of their coordination properties. The work presented 
here supports the safety case for a distributed self-separation air traffic management 
concept where different aircraft may use different conflict resolution algorithms and 
be assured that separation will be maintained. 
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1 Introduction 


The next generation of air traffic management systems may enable a mode of oper- 
ation where aircraft take a primary responsibility in the management of air traffic 
separation. This mode of operation, which is called self- separation , is supported 
by advances in hardware and software technologies. For example, global navigation 
satellite systems, such as Global Positioning System (GPS), will provide accurate 
surveillance information, which is then broadcast to traffic aircraft and ground el- 
ements by systems such as Automatic Dependent Surveillance-Broadcast (ADS-B). 
This information is then used by separation assurance systems, such as conflict 
detection and resolution algorithms (CD&R), to warn aircraft crew and air traffic 
controllers about traffic conflicts and to advise pilots on possible resolution maneu- 
vers. 

The conflict management function of the self-separation concept is a safety- 
critical component of the system. The safety case for that concept must guarantee 
that distributed separation assurance systems interact in a consistent way, i.e., air- 
craft do not fly into each other when they independently and simultaneously ma- 
neuver to solve a conflict using to their onboard CD&R logic. As discussed by Wing 
et al. [20], the conflict management function in a self-separation concept may rely 
on a multi-layered approach where one or more CD&R algorithms are used at dif- 
ferent times by different aircraft. Providing a guarantee of safe interaction between 
these different algorithms requires verification that the distributed resolution ma- 
neuvers provided by the onboard systems are complementary. The characterization 
of complementary resolution maneuvers is not a trivial task. Different resolution 
algorithms have different safety goals. One algorithm, for example, may try to 
immediately recover separation, while another algorithm may try to iteratively im- 
prove the separation requirement. Even in the case where the safety goal is the 
same, algorithms that safely interact with themselves in a distributed environment 
do not necessarily interact with each other in a safe way. 

In CD&R literature [10], the terms cooperation and coordination are often used 
to describe aircraft interaction when solving a conflict. Several approaches have 
been proposed to handle this interaction, for example by exchanging intent infor- 
mation [1,9, 18, 19], by a temporary delegation of responsibility for separation [7], or 
by geometric methods [2, 4, 5, 8]. This paper provides a mathematical framework for 
understanding implicit coordination by geometric methods for state-based CD&R. 
Geometric methods refers to decision making rules that only depend on the geometry 
of the encounters, such as the rule in the Visual Flight Rules that states that when 
aircraft are approaching head-on, each aircraft shall alter their course to the right. 
State-based CD&R refers to the use of nominal aircraft trajectories that do not in- 
clude intent information and are defined as linear projections of the current position 
and velocity of the aircraft for a given lookahead time. Finally, implicit coordination 
refers to the case where aircraft do not negotiate their resolution maneuvers but still 
take complimentary actions. 

The implicit coordination concept considered in this paper only relies on peri- 
odically broadcast surveillance from traffic aircraft, for example via ADS-B. This 
concept is particularly suitable for distributed systems since it does not assume ex- 
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change of aircraft intention and does not rely on an explicit resolution negotiation 
between the aircraft. Furthermore, state-based separation assurance systems use 
simple models of the aircraft dynamics and the airspace geometry. These mod- 
els yield analytical solutions that can be implemented very efficiently in software 
systems. In air/ground distributed air traffic management concepts, such as the 
self-separation concept, state-based CD&R often serves as backup for intent-based 
systems. Therefore, the overall safety of these concepts is ultimately dependent on 
state-based algorithms. 

The proposed framework provides formal mathematical definitions of coordina- 
tion and other fundamental concepts such as loss of separation, air traffic conflict, 
and pairwise resolution algorithm. The notion of coordination proposed here is rel- 
ative to an abstract concept of a safety property , which characterizes safety goals 
that are intended to be maintained by a family of resolution algorithms. The frame- 
work also includes a set of theorems for reasoning about coordination for particular 
algorithms and particular safety properties. These theorems do not only enable the 
proof that a given algorithm is implicitly coordinated with itself, but more inter- 
estingly, they enable and simplify the proofs that the given algorithm is implicitly 
coordinated with other conflict resolution algorithms. 

The mathematical development presented here can be used by developers of 
state-based separation assurance systems to design implicitly coordinated algorithms 
that are correct by construction and whose formal properties can be derived from the 
theorems provided by the framework. It could also be used by technical committees 
working on certification standards for distributed separation assurance systems. In 
the paper “A Criteria Standard for Conflict Resolution: A Vision for Guaranteeing 
the Safety of Self-Separation in NextGen” [12], the framework presented here is used 
to propose a standard for guaranteeing the safe interaction of state-based separation 
assurance algorithms. The proposed standard does not rely on a single mandated 
CD&R algorithm but rather it proposes a set of common criteria to be satisfied 
by algorithms that operate under a self-separation concept. That paper provides 
concrete examples of criteria for conflict resolution and loss of separation recovery 
algorithms. The fact that those criteria guarantee implicit coordination has been 
proved once and for all using the framework presented in this paper. Certifying 
that a particular algorithm complies the standard entails the verification that the 
algorithm satisfies the criteria, which is a relatively simple task that can also be 
accomplished by using the results in this framework. 

This paper is logically structured in two parts. The first part, composed of 
sections 2 through 5, lays out the theoretical aspects of the framework. Section 2 
concerns notation, basic definitions, and geometrical and physical assumptions. Sec- 
tion 3 presents the main theoretical contribution of this work: an abstract theory 
of state-based coordination. It is in this section that theorems providing sufficient 
and necessary conditions for proving coordination are stated and proved. Section 4 
specifies safety properties for conflict-free, repulsive, and divergent resolution ma- 
neuvers. Section 5 provides a set of theorems for proving coordination of resolution 
algorithms for the safety properties presented in Section 4. The second part of the 
paper consists of sections 6 and 7. This part illustrates the theoretical concepts 
with practical examples. Section 6 formally specifies well-known CD&R algorithms. 
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Several coordination properties of these algorithms are formally proved in Section 7. 
Finally, the last section concludes this work. 


2 Notation and Basic Definitions 

This section presents the mathematical notation used in the paper and provides the 
basic definitions required to understand the concepts developed in the rest of the 
paper. 


2.1 Notation 

Vector variables are written in boldface and can be denoted by their components. 
For example, if u is a 2-dinrensional vector, then u denotes the pair (u x ,u y ). The 
two-dimensional Euclidean norm of the vector u is denoted by 1 


u 



and the dot product of the 2-dinrensional vectors u and w is denoted 


U • W = ( U X W X + UyWy ). 

Furthermore, 0 denotes the zero vector, i.e., 


0 = ( 0 , 0 ), 

and denotes the right perpendicular vector to u, i.e., 

u- 1 = (u y , -u x ). 

From these definitions, it can be easily proved that u • = 0. 

The function sign maps real numbers to unit values in {—1, 1} and is defined 
as follows. 

. . f 1 if x > 0, 
s lg n(x) ee | otherwise 

The expression l = ±1 denotes the fact that an integer i belongs to the set 
{—1,1}. Moreover, the symbols =>- , denote logical negation, implication, 

and equivalence, respectively. In the context of this paper, a predicate is a Boolean 
function. For example, a predicate on vectors is a function that maps vectors into 
Boolean values. 

The mathematical development presented in this paper has been specified and 
formally verified in the Prototype Verification System (PVS) [15]. PVS is a proof 
assistant that consists of a specification language, based on classical higher-order 
logic, and a mechanical theorem prover for this logic. The PVS specification lan- 
guage allows for the precise definition of mathematical objects such as functions 
and relations , and the precise statement of logical formulas such as lemmas and 
theorems. Proofs of logical formulas can be mechanically checked using the PVS 

1 The symbol = is used to introduce mathematical definitions. 
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theorem prover, which guarantees that every proof step is correct and that all pos- 
sible cases of a proof are covered. All lemmas and theorems presented in this 
paper have been mechanically checked in PVS. For the sake of simplicity, only 
proof sketches of the main results are presented in the paper. The complete de- 
velopment, including all definitions and formal proofs, is available from http: 
// shemesh. larc.nasa.gov/people/ cam/ACCoRD. 

The use of a formal language, e.g., in this case the specification language of 
PVS, enforces rigorous definitions of mathematical objects, where all dependencies 
are clearly specified. This level of rigor guarantees a very high confidence on the 
correctness of the results presented in this paper. However, this also makes the nota- 
tion heavy and difficult to read for the non-expert reader. For this reason, the work 
presented here uses standard mathematical notation and does not assume that the 
reader is familiar with the syntax or semantics of the PVS language. In particular, 
some syntactical conventions are taken by the authors to make this development 
more accessible to the casual reader: 

• The PVS specification language is strongly typed , i.e., all declarations are ex- 
plicitly typed [16]. This feature guarantees that all PVS functions are total 
and well-defined. For instance, a mathematical formula that includes a di- 
vision needs to make explicit the fact that the divisor is different from zero, 
otherwise the expression would be undefined. In PVS, these conditions are 
handled by a type system, which is enforced by the PVS type-checker. Since 
PVS type annotations tend to be verbose, formulas in this paper appear un- 
typed. When necessary, the type domain of variables is made explicit in the 
context where the formula appears. 

• PVS is based on higher-order logic, so it supports the definition of functions 
that return functions or that have functions as arguments. In this paper, 
arguments of a higher-order function are called parameters. For example, 
this paper uses the notions of parametric predicate and parametric set. A 
parametric predicate P on vectors, with parameters s, v, is a higher-order 
function that takes as arguments vectors s and v, and returns a predicate on 
vectors. Similarly, a parametric set A of vectors, with parameters s, v, is a 
higher-order function that takes as arguments vectors s and v, and returns 
a set of vectors. Sub- and super-indices will be used to denote parameters, 
e.g., P Si v and A s , v are, respectively, the predicate and set resulting from the 
application of the parametric predicate P and parametric set A to s and v. 

• The PVS notation is declarative, i.e., there is not a notion of memory state 
as in a programming language. Algorithms are represented by functions. By 
convention, names of functions that are intended to have a logical meaning 
are written in italics. Functions that represent algorithms to be implemented 
in a programming language are written in typewriter font. 

2.2 Assumptions and Basic Definitions 

This paper considers pairwise resolution algorithms that return guidance maneuvers 
for aircraft. The terms ownship and intruder are used to distinguish between the 
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aircraft for which the resolution maneuver is computed, which corresponds to the 
ownship, and the traffic aircraft, which corresponds to the intruder. These desig- 
nations are relative. Each aircraft will be from its point of view the ownship and 
the other aircraft will be the intruder. Without loss of generality, the development 
presented here takes the point of view of one of the aircraft, and that aircraft will 
be designated as the ownship. 

The algorithms discussed here only use state-based information for the two air- 
craft, i.e., position and velocity vectors that are elements of a Euclidean space. 
Aircraft dynamics are represented by a simple kinematic model where points move 
at constant linear speed. For notational convenience, this paper mostly uses the 
Euclidean 2-dinrensional geometry instead of the 3-dinrensional one, but as shown 
in Section 5.4, all the results in this paper have been generalized to the Euclidean 
3-dinrensional airspace. The current state of the ownship and intruder aircraft are 
denoted by the following vectors. 


So 

Initial position of the ownship aircraft 

V 0 

Initial velocity of the ownship aircraft 

Si 

Initial position of the intruder aircraft 

Vi 

Initial velocity of the intruder aircraft 


It is assumed that the ground speeds of the ownship and intruder aircraft are not 
zero, i.e., ||v 0 || / 0 and ||vj|| / 0. Therefore, v G / 0 and v* / 0. 

In the airspace system, the separation requirement for two aircraft is specified 
by a minimum horizontal separation D (typically, D is 5 nautical miles). A loss 
of separation between two aircraft occurs when the distance between them is less 
than D. 

Definition 1. The ownship and intruder aircraft are in loss of separation if and 
only if it holds that 

|js 0 - Sj|| < D. 

The separation requirement can be understood as an imaginary circle of diame- 
ter D around each aircraft, and a conflict between two aircraft as a future overlapping 
of these circles. In this paper, an alternative but equivalent view is considered where 
the intruder is surrounded by a circle, called the protected zone, of radius D. From 
this perspective, a conflict between the ownship and intruder aircraft is defined as 
the existence of a time t > 0 at which the ownship is in the interior of the intruder’s 
protected zone. In conflict detection algorithms, it is also required that t is within a 
specified lookahead time. However, since this work concerns resolution algorithms, 
a lookahead time is not considered. 

Definition 2. The ownship and intruder aircraft are in conflict if and only if there 
exists t > 0 such that, at time t, separation is lost, i.e., 

II (So T t Vo) - (sj T t Vj) || < D. 

Since (s 0 + 1 v c ) — (s.j + 1 v*) = (s G — s i) + t (v c — v.j) , the mathematical expression 
that characterizes conflict can be defined on s = s D - s, and v = v G — v*, i.e., the 
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relative position and velocity vectors, respectively, of the ownship with respect to 
the intruder. Therefore, conflict can be viewed as a predicate of two vectors s and v 
rather than a predicate of four vectors s D , v 0 , s,;, and v,;. This relative view simplifies 
the mathematical development presented in this paper. Thus, the predicate Conflict 
can be formally defined as follows. 

Conflicts, v) = 3 t > 0 : ||s + t v|| < D. (1) 

In this paper, the relative position and velocity vectors, s and v, will commonly be 
used in place of s 0 — s.j and v Q — v*, respectively. 

In a distributed airspace concept, a resolution algorithm can be defined as a 
function that computes one resolution maneuver for the aircraft that executes the 
algorithm, i.e. , the ownship. In this paper, this definition is generalized such that 
a resolution algorithm returns a set of vectors, each of which represents a distinct 
resolution maneuver for the ownship. Since in PVS all functions are total, i.e., they 
are defined for all the elements of the domain, the generalization used in this paper 
has the advantage of encoding the case were no resolutions are available for the 
ownship as the empty set. That is, if there are no resolutions available, then an 
empty set is returned by the resolution algorithm. 

Definition 3. A resolution algorithm is a function cr that takes as arguments the 
current state of the ownship and intruder aircraft, e.g., s 0 ,v 0 ,s,;,Vj, and returns a 
set of velocity vectors, where each of these vectors corresponds to a possible velocity 
maneuver for the ownship. 

The velocity maneuvers provided by a resolution algorithm are intended to main- 
tain a safety objective between aircraft, which may be violated at the current state. 
Usually, the safety objective is that the aircraft are not in conflict. This paper uses 
an abstract concept of safety objectives, called safety properties. One characteristic 
of safety properties is that the ownship and the intruder agree on whether the given 
notion of safety is currently satisfied. That is, if from the perspective of one aircraft, 
the current state appears safe, then it should appear safe to the other aircraft as 
well. Section 4 will show that this restriction holds for typical safety objectives such 
as conflict-free, repulsion, and divergence. 

Definition 4. A safety property is a parametric predicate P on vectors, with pa- 
rameters s, v, such that for all parameters s,v and for all v', 

-Fs,v( v 0 P- s- v(-v'). 

The vectors s, v, and v 7 in Definition 4 are intended to be relative vectors, where 
s and v are the current relative position and velocity of the aircraft. 

Given a safety property P and current relative vectors s and v, if T > SiV (v / ) holds, 
then it is said that v' satisfies P. If a safety property P is satisfied when one of the 
aircraft maneuvers according to a resolution algorithm cr, while the other aircraft 
maintains its current velocity, then resolution algorithm cr is said to be independent 
for the safety property P or, more formally, P -independent. 
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Definition 5. The resolution algorithm cr is P-independent if for all s = s G — s* 
and v = v Q — Vj such that P SjV (v) does not hold, P s ,vfv' 0 — v,) holds for every vector 
v' Q G cr(s D ,Sj, v 0 , Vj). 

Definition 5 can be read as “the resolution algorithm cr is independent for a 
safety property P if it computes velocity maneuvers for the ownship that restore P 
when P is not satisfied at the current state.” Since vectors s 0 , s j, v Q , Vj, and V Q are 
universally quantified in this definition, if an algorithm cr is P-independent from 
the ownship’s point of view, it is also P-independent from the intruder’s point of 
view. 

Even when two resolution algorithms cr G and cr* are both P-independent, it 
is still possible that the algorithms return maneuvers that do not satisfy the safety 
property when both aircraft simultaneously maneuver. The coordination property 
defined below ensures that the safety property is met when both aircraft simultane- 
ously maneuver. 

Definition 6. A resolution algorithm cr Q is P-coordinated with a resolution algo- 
rithm cri if for all s = s G — s* and v = v D — v* such that P s . v (v) does not hold, 
Ps,v(v' 0 - v.) holds for all vectors v' Q G cr 0 (s 0 , Sj, v G , v*) and v ' G cn(sj, s 0 , v*, v G ). 

Definition 6 can be read as “the resolution algorithm cr 0 is coordinated with 
cr i for a safety property P if they compute velocity maneuvers for the ownship and 
the intruder aircraft that restore the safety property P when P is not satisfied at 
the current state.” This definition involves two algorithms simultaneously executed 
by two aircraft. From their own perspectives, each aircraft is the ownship while 
the other aircraft is the intruder. Since vectors s 0 , Sj, v 0 , v*, and are quantified 
universally, if an algorithm cr G is P-coordinated with cr,;, then it is also true that 
cr; is P-coordinated with cr 0 . 

It is noted that independence is a property held by one algorithm, while coor- 
dination is a property held by two algorithms. However, by abuse of notation, a 
resolution algorithm cr is said to be P-coordinated if it is P-coordinated with itself. 
This corresponds to the special case where the ownship and intruder aircraft are 
using the same algorithm. 

3 A General Theory of Coordination 

It is usually difficult to prove that resolution algorithms are P-independent or P- 
coordinated for a particular safety property P. Direct proofs of independence and 
coordination involve exhaustive case analyses that spell out of the control flow of 
the algorithms. 

This section develops a mathematical theory that establishes sets of conditions, 
called criteria, that guarantee independence and coordination of resolution maneu- 
vers for an abstract safety property. Using this theory, the proof that two algorithms 
cr Q and cr* are independent and coordinated for a safety property P can be done 
in two steps: 

1. Find a criterion that guarantees P- independence and P-coordination. 
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2. Prove the all resolution vectors computed by cr G and cr ; : satisfy the criterion. 

This proof approach would be as difficult as a direct proof if it had to be done from 
scratch every time. However, the criterion constructed in the first step can often be 
defined in a general way so that it can be applied to a family of resolution algorithms. 
Section 5 gives several examples of criteria for different safety properties. The second 
step, i.e. , the proof that the maneuvers computed by a resolution algorithm satisfy 
a criterion, still needs to be proved for every algorithm. But it can be argued that 
this proof is simpler than direct proofs of independence and coordination. Section 7 
illustrates this technique with concrete resolution algorithms. 

3.1 Independent and Coordinated Criteria 

Definition 7. A criterion is a parametric set of vectors A, with parameters s, v. 

If A is a criterion, the set -4 s ,v consists of vectors in the relative coordinate 
system, where the parameters s and v are, respectively, the current relative position 
and velocity of the aircraft. If all vectors in the set „4 SjV satisfy the safety property P, 
the criterion A is said to be independent for P or, more formally, P -independent. 

Definition 8. A criterion A is P-independent if for all for all parameters s, v and 
for all V € *4 S>V; P s , v (v') holds. 

A resolution algorithm satisfies a criterion when all the maneuvers computed by 
the algorithm are included in the criterion. 

Definition 9. A resolution algorithm cr satisfies the criterion A if for all s = s 0 — Sj 
and v = v Q — v i; v ' 0 <E cr(s 0 , s*, v D , v;) implies {V 0 - vf) <E A,v 

The following theorem states that to prove that a resolution algorithm is P- 
independent, it is sufficient to prove that the algorithm satisfies a criterion that is 
P-independent. It is easily proved from the definitions. 

Theorem 1. If 

1. the criterion A is P-independent and 

2. the resolution algorithm cr satisfies A, 
then cr is P-independent. 

The concept of coordination for resolution algorithms can be generalized to a 
concept of coordination between criteria. 

Definition 10. A criterion A is P -coordinated with B if for all s = s Q — s*, v = 
v G — Vj, and vectors V a , v' such that -’P s ,v(v) holds, (v^ — v*) £ -4 s ,v and (v' — v D ) £ 
B- s - v imply that P s ^{v’ 0 — v') holds. 

By abuse of notation, it is said that a criterion A is P-coordinated if it is P- 
coordinated with itself. 

The following theorem states that to prove that two resolution algorithms are 
coordinated for a safety property P, it is sufficient to show that the algorithms 
satisfy P-coordinated criteria. 



Theorem 2. If 


1. the criterion A is P -coordinated with B, and 

2. the resolution algorithms cr a and crj satisfy A and B, respectively, 
then cr a is P -coordinated with crj. 

3.2 A Theory of Criteria 

Theorems 1 and 2 provide a way to prove that resolution algorithms are independent 
and coordinated for a safety property. At first glance, it seems that the problem 
of proving P-independence and P-coordination for resolution algorithms has been 
merely transformed into a problem of proving P-independence and P-coordination 
for set of the vectors in a criterion. However, the power of this approach is that 
criteria that satisfy P-independence and P-coordination can be defined in an ab- 
stract way, independently from specific safety properties or resolutions algorithms. 
This section presents basic conditions for the construction of these criteria. These 
conditions will be needed to prove the main theorems in Section 3.3, where the 
first conditions of theorems 1 and 2 are reduced to verifying simpler, geometric 
conditions. 

Definition 11. A set of vectors S is closed under sum if for all vectors v,u £ S, 
v + u £ S. 

It is often useful to know that for a given safety property P, the complement of 
P is closed under sum. 

Definition 12. A criterion A is sum independent for a safety property P if for all 
parameters s,v such that -iP SjV (v) holds, for all vectors u' £ A S)V and v' £ A s , v , 
P s v (u / + v') holds. 

The relation between sum independence and coordination is the main focus of 
Section 3.3. 

There is a notion of a set of vectors being independent of length, and this has 
slightly different definitions for criteria and safety properties. 

Definition 13. A criterion A is independent of length if for all vectors s, v, v r , and 
for all positive real numbers r, A S)V = A S)rv - 

Definition 14. A safety property P is independent of length if for all vectors s, v, v 7 
and all positive real numbers r and p, P S:V (v / ) <*=>• P s , rv (pv'). 

The notion of an open set is fundamental to the mathematical field of real anal- 
ysis [17] and it is presented here, in the context of vector analysis, for completeness. 

Definition 15. A set S of vectors is open if for all v £ S, there exists a positive 
real number 6 > 0 such that for all vectors u with ||u|| <5, v + u £ S. 
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For instance, if P is a safety property, then the set of vectors that do not satisfy 
P, denoted by -i P, is open if for all vectors s, v, v 7 such that -i P s ,v(v 7 ) holds, there 
exists 5 > 0 such that for all vectors u 7 with ||u , || < 5, ^P s , v {v' + u 7 ). 

The two criteria A and B in Definition 10 are usually defined by the same 
parametric set. In this case, the criterion is said to be symmetric if the two aircraft 
see the same set of vectors from their own perspectives. 

Definition 16. A criterion A is symmetric if for all parameters s, v and for all 
vectors v’ , v 7 £ A SjV if and only if — v 7 £ A_ s ,-v- 

There is a dual concept to symmetry, called asymmetry, where the criteria A 
and B are defined by the same parametric set and the two aircraft see the same set 
of vectors except for a sign that encodes the perspective of the ownship. The formal 
definition of asymmetry requires a notion of signed criterion that takes an additional 
parameter e = ±1. A signed criterion A £ defines two criteria: yD 1 and A 1 . The 
parameter e refers to the side of the origin on which any trajectory from s along 
a vector in A £ passes, from the perspective of the ownship. For example, in the 
Euclidean 2-dinrensional airspace, e may refer to the horizontal directions left and 
right. If a vertical dimension is considered, as in Section 5.4, the parameter e may 
also refer to the vertical directions up and down. 

Definition 17. A signed criterion A £ is antisymmetric if for all parameters s,v, e 
and for all vectors v 7 , v 7 £ AI S v if and only if — v 7 £ AZ.% _ v - 

3.3 General Theorems 

This section presents theorems that reduce the proof of criteria coordination to sum 
independence, which is a simpler geometric property. 

Let A be a criterion and P be an arbitrary safety property. The results in this 
section use the following equality. 

Vo - v 7 = (v' - Vi ) + (v 0 - v 7 ) - (v 0 - Vi). 

Theorem 3. If 

1. A is symmetric and sum independent for P , and 

2. -i P is closed under sum, 
then A is P- coordinated. 

Proof. Let s = s 0 — Sj, v = v D — v*, and v^, v 7 be any vectors such that -> P s ,v(v) 
holds. Suppose that both (v' 0 — v,) £ A S)V and (v 7 — v 0 ) £ A- S ,_ v - It suffices to 
prove that P StV (v' 0 — v 7 ) holds. Define v 7 = (v' Q — Vj) and u 7 = (v D — v 7 ). The goal 
is to prove that 

F SiV (v 7 + u 7 - v). 

Assume that this is false. Since ^-P s ,v(v 7 + u 7 — v) and _, L 5 s ,v(v) both hold and —>P 
is closed under sum, it follows that -iP SiV (v 7 + u 7 ) holds. 

However, since A is symmetric and — u 7 £ A_ s ,- V , it follows that u 7 £ A s ,v- Since 
A is sum independent for P, it follows that P S)V (v 7 + u 7 ). This is a contradiction 
and therefore completes the proof. □ 
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Theorem 4. If 

1. A is symmetric, independent of length, and P -coordinated, and 

2. -■ P is open and independent of length , 
then A is sum independent for P. 

Proof. Suppose that s, v, v', and u ; are vectors such that -iP s , v (v), v' £ -4 s ,vj and 
u' £ -4 s ,v- It suffices to prove that Pg^v' + u') holds. Suppose that this is not true. 
Then -^Ps^fv' + u'). Since ~>P is open, there exists 6 > 0 such that if ||w|| < <5, 
then ~ iP s v (v / + u' + w). In particular, -■P SiV (v / + u'-cv), where c = Since 

^P is independent of length, -’P s , C v(v / + u' — cv) holds. 

Define vectors v D , v*, v' Q and v' as follows. 

v 0 = 0, 

-cv, 

v'-cv, 

/ 

— u . 

The following equations can easily be proved from these definitions. 



Vq — v' = v' + u'-cv. 

Thus, ~ 'Ps,cv(Vq — v') holds. Since A is P-coordinated, it suffices to prove the 
following three properties. 

1- ~~ , -fs 0 -s i ,v 0 — v, : (v 0 — v,:), 

2. - Vj £ A 0 - Si) v 0 -vi, and 

3. v- - v D £ ^l Si _ SoiVi _ Vo . 

The first of these properties is equivalent to — ' P SiCV (cv), which follows from the 
facts that -> P S)V (v) holds and that — ■ P is independent of length. The statement that 
V Q — v.j £ „4 So _ SjjVo _ Vi is equivalent to v' £ »4 s ,cvj which follows from the facts that 
V £ -4 S , v holds and that A is independent of length. Finally, the statement that 
v- — v Q £ v4 Si _s 0)V j— v 0 is equivalent to — u' £ *4„ Si _ cv , which follows from the facts 
that u ; £ „4 SjV holds, that A is independent of length, and that A is symmetric. 
This completes the proof. □ 

Corollary 5 follows directly from Theorems 3 and 4. 

Corollary 5 (Equivalence of Coordination and Sum Independence). Suppose that 

1. A is symmetric, sum independent, and independent of length, and 
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2. -i-P is open, closed under sum, and independent of length, 

then A is P- coordinated if and only if it is sum independent for P. 

There are analogues of theorems 3 and 4 in the case where A £ is antisymmetric. 
These are stated below, and the proofs are identical in form. 

Theorem 6. If 

1. A £ is antisymmetric and sum independent for P, and 

2. -■ P is closed under sum, 
then A £ is P -coordinated with A~ £ . 

Theorem 7. If 

1. A £ is antisymmetric, independent of length, and A £ is P-coordinated with A~ £ , 
and 

2. -i P is open and independent of length, 
then A £ is sum independent for P. 

3.4 Derived and Composed Criteria 

Criteria can be composed to form larger sets of vectors that preserve their coordi- 
nation properties. This section presents two criteria combinators, called derivation 
and composition, and states theorems that provide sufficient conditions under which 
these combinators preserve coordination with respect to a safety property P. 

Theorem 2 is used to prove that if cr Q and cr* are resolution algorithms that 
satisfy the criterion A, and if A is P-coordinated, then cr 0 is P-coordinated with 
crj. In some cases, the condition that cr 0 satisfies A can be weakened in this 
statement. That is, given a criterion A. it is often possible to construct a family 
of criteria from A. called the derived criteria of A. such that if cr 0 satisfies one 
of the derived criteria and cr. ; ; satisfies A, the resolution algorithms cr 0 and cr j 
are still P-coordinated. The family of derived criteria of A is parameterized by a 
nonnegative number p. 

Definition 18. Let A be a criterion, the family of derived criteria of A, denoted 
Deriv p (A) , is defined as follows. 

Deriv p (A) s ,v = {v' | (v'-pv) G A,v}- 

From this definition it is easy to see that Deriv°(A) s . v = A. Theorem 8 gives 
sufficient conditions under which the criterion Deriv p (A) is a weaker condition on 
the algorithm cr„ than the criterion A. 

Theorem 8. If the criterion A is closed under sum and -pv G -4 S)V , then A is a 
subset of Deriv p (A), i.e., 

-4s, v C Deriv p (A) s ,v 
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The most important property of the derived criterion is coordination. 

Theorem 9. If p + q = 1 and the criterion A is symmetric and sum independent 
for a safety property P, then Deriv p (A ) is P-coordinated with Deriv q (A) . 

Proof. Let s = s 0 — Sj, v = v 0 — Vj, and v' 0 , v' be any vectors such that -iF SiV (v) 
holds. Suppose that (v^ — Vj) £ Deriv p (A) s , v and (v( — v D ) £ Deriv q (A)- s -v- 
It suffices to prove that P StV (v' 0 — v') holds. By the definition of Deriv q (A), v' — 
v G + q v £ „4_ Sj _ v . Since A is symmetric, v G — v' — q v £ „4 SV . By the definition 
of Deriv p (A), v' 0 — Vj — pv £ „4 S)V . Since A is sum independent, it follows that 
f’s.vK — Vj — p v+ v 0 — v ' — g v) holds, and since v(,-Vj-p v + v G - v'-g v = v(,-v', 
the result follows. □ 

Corollary 10. If the criterion A is symmetric and sum independent for P, then A 
is P-coordinated with Deriv 1 {A). 

It is important to note that if the criterion „4 SiV contains the vector 0, then the 
derived criterion Deriv p (A) s , v contains the relative velocity vector pv. In particular, 
if p = 1 and A is symmetric and sum independent for P, then, by Corollary 10, an 
algorithm cr 0 that always returns the current velocity vector is coordinated with 
an algorithm cr,; that satisfies the criterion A. 

Using the derivation combinator, a composition combinator is defined that takes 
two criteria A and B and composes them into one criterion Comp(A, B), called the 
composed criterion, that contains vectors from both criteria. 

Definition 19. The composed criterion of A and B is defined as follows. 

Comp(A , B) = A U (Bn Deriv 1 (^l)). (2) 

The following theorem gives sufficient conditions under which the composed 
criterion preserves coordination for a safety property P. 

Theorem 11. Let A be sum independent for the safety property P and symmetric, 
such that -i P is closed under sum. If B is P-coordinated with B' , then Comp(A, B) 
is P-coordinated with Comp(A, B'). 

Proof. Theorem 3 in Section 3.3 implies that A is coordinated. Let s = s 0 — Sj, 
v = v 0 — Vj, and v(,,v' be any vectors such that -’-P s ,v(v) holds. Suppose that 
(v' G — Vj) £ Comp(A,B) StV and (v' — v Q ) £ Comp(A,B')- s - v . It suffices to prove 
that P s . v (Vq — v') holds. There are four possibilities: 

1. (v' a - Vj) £ A S)V and (v' - v G ) £ _ v . 

2. (v' 0 - Vj) £ As,v and (v' - v G ) £ B'_ s _ w fl Deriv 1 (A)- s _ v . 

3. (V a - Vj) £ P s , v n Deriv 1 (A) s ^ v and (v- - v D ) £ -4_ s _ v - 

4. (v' a — Vj) £ £> SiV n Deriv 1 (A) s , v and (v' — v D ) £ B'_ s _ w n Deriv 1 (A)- s -v 

The result follows in the first case from the fact that A is coordinated for P, in the 
second and third cases from the fact that A is coordinated with Deriv 1 (A) for P 
(Corollary 10), and in the final case from the fact that B and B' are coordinated 
for P . □ 
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4 Safety Properties 


As stated in Definition 4 in Section 2.2, a safety property is a predicate used by 
the ownship and intruder aircraft to agree on whether a particular state is safe. 
For example, if the ownship determines that a given relative resolution maneuver 
is conflict-free, the same resolution maneuver must be conflict-free when considered 
by the intruder aircraft. 

The safety property of interest for conflict resolution algorithms is the absence 
of conflict between the ownship and the intruder aircraft. However, in some circum- 
stances, that safety property cannot be immediately recovered, for example when 
the aircraft are already in loss of separation. In those cases, it may be useful to con- 
sider a stronger safety property such as divergence, i.e. , the resolution maneuvers 
guarantee that the distance between the aircraft immediately increases, or a weaker 
safety property such as repulsion, i.e., the resolution maneuvers guarantee that the 
distance at time of closest approach increases. 

In an expressive logic like the one provided by the verification system PVS, safety 
properties can be specified using universal or existential quantifiers. The statement 
of these definitions follow their natural logical description. However, quantifiers 
are not always implementable in an algorithmic way and, therefore, these natural 
definitions of safety properties cannot be mechanically checked by a computer. This 
section provides analytical definitions of safety properties that can be implemented 
by algorithms and that are equivalent to their intuitive logical description based on 
quantifiers. 

4.1 Absence of Conflict 

The safety property that determines whether a given state is conflict-free is defined 
by the predicate 

ConflictFree sv (v / ) = ^ Conflicts, V). (3) 

The parametric predicate ConflictFree is a safety property according to Defini- 
tion 4 in Section 2.2, i.e., it satisfies the following condition. 

ConflictFree sv (v') ConflictFree_ s _ v (—v'). 

Since Formula (3) involves a quantifier in the definition of Conflict, it is not practical 
for checking whether a given relative vector v' is conflict-free. This section offers 
an alternative, but equivalent, characterization of the safety property ConflictFree, 
where the quantifier has been eliminated. 

If Conflict{ s, v) holds, then the half line s + tv, with t > 0, must intersect the 
circle of radius D at exactly two distinct times t. These times correspond to the 
solutions of the quadratic equation 

0 = ||s + fv|| 2 - D 2 

(4) 

= ||v|| 2 f 2 + 2(s-v)f+(IN| 2 -D). 

The discriminant of the polynomial on t in Formula (4) is given by 4 A(s, v), where 

A(s, v) = || s • v|| 2 — || v || 2 (||s|| 2 — D 2 ). (5) 
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Equation (4) has solutions when the discriminant is nonnegative and it has exactly 
two distinct solutions when it is strictly positive, i.e., when A( s,v) > 0. The roots 
of this quadratic equation are given by the following function, where l = ±1. 


0 D (s,v,i) 


— s • v + i -y/||s • v 1 1 2 — ||v|| 2 (||s|| 2 — D 2 ) 
II vll 2 


( 6 ) 


If Conflicts, v) holds, 0 d(s,v, —1) is the time when the aircraft lose separation and 
0£i(s, v, 1) is the time when the aircraft recover separation. The following lemmas 
are proved by algebraic manipulations. 

Lemma 12. If A(s, v) > 0, then ||s + 0o(s, v, i) v|| = D, for l = ±1, and 

©d( s,v, -1) < 0d(s,v, 1). 

Furthermore, if A(s,v) > 0, then @d{ s,v, — 1) < 0£>(s, v, 1). 

Lemma 13. If ||s|| > D, then Conflicts, v) holds if and only if s • v < 0 and 
A(s, v) > 0. 

From Equation (3) and Lemma 13, the following equivalence holds. 


ConflictFree s V (v / ) 


| s 1 1 > D and (s • v ; > 0 or A(s, v ; ) < 0). (7) 


Equation (7) provides and analytical way to check whether a relative vector V 
results in a projected linear trajectory that is free of conflict. 


4.2 Divergence 

Another safety property that is useful, especially when the aircraft are already in 
loss of separation, is divergence. It is stronger than the notion of conflict in the 
case where the aircraft are currently horizontally separated. The ownship and the 
intruder aircraft are (horizontally) divergent if the distance between the aircraft is 
increasing, i.e., 


Divergence s v (V) =\/ 1 > 0 : \\s + tv'W > ||s||. (8) 

The parametric predicate Divergence is a safety property, i.e., it satisfies that for all 
vectors v r , 

Divergence s . v (v / ) Divergence_ s _ v (— v ; ). 

Equation (8) is not practical for checking divergence because of the universal quan- 
tification on t. However, it can be proved using basic algebra that divergence is 
equivalent to the dot product s • v being nonnegative. Thus, the following equiva- 
lence holds. 

Divergence s V (v / ) 4=>- s • v' > 0. (9) 

Equation (9) provides and analytical way to check whether a relative vector v' 
results in a projected linear trajectory that is divergent. 


15 



4.3 Repulsion 

A resolution maneuver is repulsive if it increases the minimum future distance be- 
tween the aircraft. Given the current relative velocity vector v G — v*, for the ownship 
aircraft with respect to the intruder, repulsion is a predicate on the relative velocity 
vector w' 0 — Vj, where w' 0 is a new velocity vector representing a maneuver for the 
ownship. It implies that the minimum distance achieved by the aircraft for positive 
time is greater if the new velocity vector v' 0 is chosen by the ownship instead of the 
current vector v 0 . This is formalized as follows. 

The time tca(s,v), referred to as the time of closest approach for the vectors 
s and v, is the time at which the aircraft achieve minimum horizontal separation. 
If the relative velocity vector v is zero, the distance between the aircraft remains 
constant at the value ||s|j. In this case, the time of closest approach is defined to be 
0. In the general case, the time of closest approach is defined as follows. 


tca(s, v) = 


0 , 
s-v 
II v II 


if v = 0, 
otherwise. 


( 10 ) 


The following theorem, which is proved using elementary algebraic methods, 
states that tea indeed computes the time of closest approach between the aircraft. 

Theorem 14. For all real numbers t, 


|s + tca(s, v) v|| < ||s + fv||. 


A stronger result can be proved when v is nonzero. 
Theorem 15. // v 0, then for all real numbers t ^ tca( s, v), 

fls + tca(s, v) v|| < ||s + fv||. 


Using the function tea, repulsive resolution maneuvers are formally defined by 
the following predicate. 

Repulsion sv fv r ) = tca(s, v) > 0 and 

(tca(s,v / ) < 0 or (11) 

1 1 s + tca(s, v) v || < || s + tca(s, v 7 ) v'H). 

Equation (11) provides an analytical way to check whether a relative vector v' 
results in a projected linear trajectory that is repulsive with respect to the original 
vector v. The parametric predicate Repulsion is a safety property, i.e. , it satisfies 
that for all vectors v', 

Repulsion sv (V) Repulsion_ s _ v (—V). 
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5 Criteria 


As stated in Definition 7 in Section 3.1, a criterion is a parametric set of vectors 
with parameters s and v. This section presents concrete examples of criteria that 
are useful when proving coordination and independence for the safety properties 
Divergence, ConflictFree, and Repulsion. Theorems about these criteria are pre- 
sented, including whether they are closed under sum, sum independent, independent 
of length, symmetric, and antisymmetric. One criterion that is particularly helpful 
when proving results about conflict resolution algorithms is the horizontal criterion, 
given by Definition 13 in Section 5.1. In Section 5.3, proofs of some fundamental 
properties of this criterion are presented, including a proof that it is maximal among 
signed, symmetric criteria that are independent of length and coordinated for Con- 
flictFree. Finally, in Section 5.4, the notions of criteria, coordination, independence, 
and resolution algorithms are all extended to a three dimensional airspace. In that 
section, an antisymmetric criterion is defined for vertical maneuvers, and it is proved 
that this criterion is coordinated for the 3D version of the ConflictFree safety prop- 
erty. This new criterion is combined with the horizontal criterion using tools from 
Section 3.4 to form a new criterion that is coordinated and allows both vertical and 
horizontal resolution maneuvers. 

5.1 Divergence, Horizontal, and Repulsion Criteria 

Figure 1 illustrates the criterion V, called divergence criterion, which is defined as 
follows. 

£> s ,v = {v'|s- v' > 0}. (12) 

The following lemma states that the criterion V is independent for the safety prop- 
erty Divergence (Section 4.2) and, if ||s|| 2 > D, it is also independent for the safety 
property ConflictFree (Section 4.1). 

Lemma 16. 

• For all V £ D sy , Divergence s V (v') holds. 

• U ||s|| 2 > D, then for all v 7 £ D s ,v, ConflictFree sv (v') holds. 

Proof. By Formula (9) in Section 4.2, V consists of all vectors that satisfy the 
predicate Divergence. The second part is a direct consequence of the definition of 
the predicate Divergence. □ 

Figure 2 illustrates the signed criterion 7i £ , called horizontal criterion, which is 
defined as follows. 

H £ sy = { v/ 1 INI > D and s • v' > -A(s • v ,_L )\/||s|| 2 — D 2 }. (13) 

The signed criterion v defines two criteria: TL\ W , which is shown in blue, and 
which is shown in green. The sets and TL~^ are not disjoint. Indeed, 
vectors in the gray area are in both sets. The following lemmas state that the signed 
criterion hi £ is ConflictFree -independent. 
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Figure 1. Divergence Criterion V 



n 


S, v 


Figure 2. Horizontal Criterion 7i £ 
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Lemma 17. For all v 7 £ H £ v , ConflictFree s V (v 7 ) holds. 

Figure 3 illustrates the derived horizontal criterion Deriv p (fH _1 ), when p < 1. 
That criterion is a superset of W _1 . However, in contrast to H _1 , the derived 
criterion Deriv p (7i~ 1 ) is not independent for the safety property ConflictFree when 
p > 0. As shown by Figure 3, some vectors in Deriv p (H~ 1 ) intersect the protected 
area around the intruder aircraft. 

Figure 4 illustrates the signed criterion 1Z £ , called repulsion criterion, which is 
defined as follows. 

1Z £ S v = {v 7 1 es • V -1 < 0 and s • v < 0 and s • v 7 < 0 and ev'-v 1 < 0}. (14) 

The set 1Z £ S v is always empty when e = sign(s • v - * - ). The following lemma gives 
sufficient conditions under which the signed criterion 1Z £ is Repulsion- independent 
(Section 4.3). 

Lemma 18. If Conflict^ s,v) holds, then for all V £ Ff v , Repulsion s v (V ) holds. 

Proof. Suppose Conflicfl s, v) holds and v 7 £ F £ sw , but that Repulsion sv (v') does 
not hold. By the definition of the predicate Repulsion, tca(s, v) and tca(s,v 7 ) are 
both positive. It suffices to prove that 

||s + tca(s, v) v || < || s + tca(s, v 7 ) v 7 ||. 

It is a basic property of linear algebra that if ei and e 2 are any two nonzero 
orthogonal vectors, then any vector w can be written as a linear combination of ei 
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Figure 4. Repulsion Criterion 1Z £ 


and e 2 as follows. 


w • ei w • e 2 

w = — fry e i + 7i — fry e 2 • 
e l e 2 


Further, with such a decomposition, the squared norm ||w|j 2 can be computed by 
the following equation. 


w = 


(w-ei) 2 , (w • e 2 ) 2 


e i 


+ 


e 2 


Let s^ ca ■ 
that s^ ca 


= s + tca(s, v) v. It is easy to see from the definition of the function tea 
and v are orthogonal. Thus, the following equation is satisfied. 


v = 


v • Stc 

l^tcall 


Stca T 


V. 


Similarly, s + tca(s, v) v can be written as a linear combination of v and v 2 -, and 

since it is perpendicular to v and — e s • v 2 - is nonnegative, it follows that 

,, .... -1 ± 

||s + tca(s, v) v|| = n — jj-es-v . 

If it can be proved that 

|| s + tca(s, v 7 ) v 7 1| > - — - (eS'V 1 +£ tca(s, v 7 ) v 7 ■ v 2 *), (15) 

then the result will follow, because tca(s, v 7 ) > 0, and by hypothesis, — ev'-v 2 - > 0. 
Thus, it suffices to prove Equation (15). It follows from definitions that 

-es-v 1 - s tca(s, v 7 ) v 7 • v 2- = (s + tca(s, v 7 ) v 7 ) • (-ev 1 ) 

< || s + tca(s, v 7 ) v 7 1 1 || — e v 2- 1| 

= || s + tca(s, v 7 ) v 7 1 1 || v || , 
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where the inequality is given by the Cauchy-Schwartz inequality. The result follows 
from there. □ 

5.2 Coordination Properties of V, H £ , and TZ £ 

Proven facts about these criteria are presented below, including whether they are 
closed under sum, sum independent, independent of length, symmetric, and anti- 
symmetric. These results are used to deduce that the criteria V , Ti £ , and 1Z £ , defined 
in Section 5.1, are coordinated with themselves for the safety properties Divergence, 
ConflictFree, and Repulsion, respectively. 

Lemma 19. The criteria V , TL £ , and 1Z £ , for e = del, are all closed under sum. 

Lemma 20. The complement of the predicates ConflictFree and Divergence are 
closed under sum. 

Lemma 21. All of the following propositions hold. 

1. The Criterion V is sum independent for Divergence. 

2. The Signed criterion Ti £ is sum independent for ConflictFree. 

3. The Signed criterion 1Z £ is sum independent for Repulsion. 

Lemma 22. The criteria V, 7i £ , and 1Z £ , for s = ±1, are all independent of length. 

Lemma 23. The safety properties Divergence, ConflictFree, Repulsion, and their 
complements, are all independent of length. 

Lemma 24. The criteria V, TL £ , and TZ £ , for e = ±1, are all symmetric. 

The results in Section 3.3, which relate coordination between criteria to these 
simpler geometric properties, are used to deduce coordination for the criteria defined 
in Section 5.1. 

Theorem 25. The criteria T>, TL £ , and 1Z £ are coordinated with themselves for the 
safety properties Divergence, ConflictFree, and Repulsion, respectively. 

Proof. This follows from Corollary 5 in Section 3.3 and from lemmas 19 to 24. □ 

The horizontal criterion Ti £ satisfies all the hypotheses of Theorem 9. Hence, 
even although in general the derived criterion Deriv p (fH £ ) is not independent or 
coordinated with itself for the safety property ConflictFree, it is always coordinated 
with 7i £ for the safety property ConflictFree. 

Lemma 26. For e = ±1 andp > 0, the derived criterion Deriv p (fH £ ) is ConflictFree- 
coordinated with 7i £ . 

The following theorem is a consequence of Lemma 26. Its usefulness is illustrated 
in Section 7.3 to prove that two distinct resolution algorithms are ConflictFree- 
coordinated. 
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Theorem 27. Suppose that cr Q and cr{ are resolution algorithms for the ownship 
and the intruder aircraft, respectively, such that cr Q satisfies Ti £ and that for all 
vectors s G , Sj, v D , v*, v 7 , v 7 G cr,:(si, s Q , Vj, v D ) implies v 7 - v* G H £ s ._ SojV ._ Vo . Then 
cr Q and cr* are coordinated for the safety property ConflictFree. 

Proof. By lemma 26, it suffices to prove that the algorithm cr, satisfies the criterion 
Deriv 1 (TL £ ). That is, it suffices to prove that if v 7 G crj(sj, s D , v*, v G ), then v 7 — v Q G 
Deriv 1 (fH £ ) Si - SoiVi - Wo , or equivalently (v 7 - v c ) - (v* - v 0 ) G W|._ SojV ._ Vo . Since 
(v 7 — v 0 ) — (vj — v D ) = v 7 — Vj, the result follows. □ 

5.3 Fundamental Properties of Horizontal Criterion 

According to Lemma 17, the horizontal criterion Ti £ is ConflictFree - independent 
and, according to Theorem 25, 7i £ is also ConflictFree- coordinated. Since Conflict- 
Free is the intended safety property of conflict resolution algorithms, the horizontal 
criterion is particularly important for designing CD&R algorithms and for verifying 
their coordination properties. 

This section provides some fundamental results on the horizontal criterion. First, 
it is proved that any conflict resolution algorithm that computes relative velocity 
vectors that are tangent to the protected zone satisfies the horizontal criterion and, 
therefore, it is independent and coordinated for the safety property ConflictFree. 
Second, it is shown that the horizontal criterion is maximal among signed criteria 
that are symmetric, independent of length, and coordinated for ConflictFree. 

5.3.1 Tangential Resolutions Satisfy Horizontal Criterion 

A common approach to developing algorithms that resolve conflicts between the 
ownship and the intruder is to find a new velocity vector v' a for the ownship such 
that the new relative velocity vector v 7 = v(,— has the property that the trajectory 
from s along v 7 is tangent to the circle of radius D around the origin. If the intruder 
does not maneuver, then the minimum separation between the aircraft is precisely 
D. Here, these kinds of resolutions are called line solutions. 

In Figure 5, the vector v 7 is tangent to the right side of the circle. From this 
diagram, it is clear that s • v 7 ^ = D || v /_L || = D ||v 7 ||. Similarly, in the case where 
the trajectory from s along v 7 is tangent to the left side of the circle, the equation 
— s • v 7 ^ = D 1 1 v 7 1 1 holds. In addition, since the trajectory from s along v 7 reaches 
the tangent point at a nonnegative time, and since this time is equal to tca(s,v 7 ), 
it follows from the definition of the function tea that s • v 7 < 0. 

This motivates the following definition of the predicate LineSolution, which de- 
termines whether a given trajectory, in the relative coordinate system, is tangent 
to the circle of radius D around the origin. The predicate depends on a unit value 
e = ±1, with e = —1 corresponding to a right tangent and £ = 1 to a left tangent. 

LineSolution{ s, v 7 ,e) = — es • v 7± = D||v , |j and s • v 7 < 0. (16) 

This predicate holds for vectors s and v 7 precisely when the half line s + tv 7 , 
with t > 0, is tangent to the circle of radius D around the intruder in the relative 
coordinate system. 


22 




Figure 5. Relative Vector v 7 Tangent to the Circle 


Lemma 28. If LineS olution( s,v',e) holds, then 

|| s + tca( s, v ; ) v'|| = D. 

Since line solutions characterize tangent trajectories to the circle of radius D, 
they yield conflict free resolutions. This fact is a direct consequence of Theorem 14 
and Lemma 28. 

Theorem 29. If LineS olution(s,V ,e) holds, then -> Conflicts, v') . 

The function tangent_line, defined below, is used to compute vectors that 
satisfy the predicate LineSolution. It takes as arguments a relative position vector 
s such that ||s|| > D and a unit value e = ±1. It returns a vector that is tangent to 
the protected zone. 



The proofs of the following lemmas rely on standard vector algebra. 

Lemma 30. If ||s|| > D and £ = ±1, then LineS olution(s, tangent_line{ s, e),e) 
holds. 
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Lemma 31. If ||s|| > D, then LineS olution(s,V , e) holds if and only if there exists 
k > 0 such that 

V = k tangent-line( s,e). 

Lemma 32 gives an alternative characterization of the horizontal criterion that 
uses the function tangent _line. 

Lemma 32. For all vectors s and v, and £ = ±1, 

n £ sv = {v'| ||s|| > D and etangent-line( s > £ ) ' v /_L > 0}. 

The following lemma states that vectors that satisfy the predicate LineSolution 
also satisfy the horizontal criterion. Therefore, since by Theorem 25, the horizontal 
criterion 7i £ is ConflictFree-cooi'dinated, resolution algorithms that compute line 
solutions are also ConflictFree- coordinated. This result is stated by Theorem 34. 

Lemma 33. If ||s|| > D and LineSolution( s,u,e) holds, then u e H £ sy/ . 

Proof. By Lemma 31, if LineSolution( s,u,e) holds, then there exists k > 0 such 
that u = k tangent _line(s, e). Thus, e tangent_line(s, e) • u - * - = 0, and the result 
follows directly from Lemma 32. □ 

Theorem 34. Suppose that cr a and cr\ are resolution algorithms for the ownship 
and the intruder, respectively, and that for all vectors s 0 , Sj, v G , Vj, V Q , v 7 , 

1. e cr 0 (s 0 , Sj, v G , Vj) implies that LineS olution(s,V 0 — v*, e) holds, and 

2. v' G crj(sj, s 0 , Vj, v 0 ) implies that LineSolution(—s,v'- — v Q ,e) holds. 

Then cr Q and cr, are coordinated for the safety property ConflictFree. 

Proof. By Theorem 2 in Section 3.1 and Theorem 25, it suffices to prove that cr G 
and cr* each satisfy the criterion TL £ . This follows immediately from Lemma 33. □ 

5.3.2 Maximality of Horizontal Criterion 

Theorem 35 (Maximality of TL £ ). Suppose that A £ is a symmetric signed criterion 
that is independent of length and contains the horizontal criterion TL £ . If A £ is 
coordinated for ConflictFree and -> ConflictFree s V (v ) holds, then Al v = H £ s v . 

Proof. Note that Theorem 4 implies that A £ is sum independent. By contradiction, 
suppose that there are vectors s, v, and v 7 such that v' £ -4g V , v 7 ^ H £ sw -, and 
-<ConflictFree sv (v) holds. By Lemma 32, 

etangent_line(s, v) • v /J_ < 0. 

By using the Cauchy-Schwartz inequality, it is shown that there exists 5 > 0 such 
that for every vector w with ||w|| < 6 , £ tangent _line(s, v) • (v 7 + w)^ < 0. For 
any such vector w, v 7 + w ^ TL £ S v . 

Choose any positive real number c such that ||cs|| < 5. Therefore, v'+cs ^ hi £ sv . 
By Lemma 32, if u is any vector that is not an element of the set then the 
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Figure 6. Criterion KF 


negative vector — u is an element of this set. Applying this to the vector v' + cs, it 
follows that — v 7 — cs is an element of Ti% v and therefore an element of „4g v as well. 

Since -v'-cs and v 7 are both elements of v , and since A is sum independent, 
it follows that their sum, which is equal to — cs, satisfies ConflictFree s v (—c s). This 
is a contradiction since s + t (-cs) = 0. O 


The theorem above states that the horizontal criterion is maximal among sym- 
metric, coordinated, signed criteria that are independent of length. This result is 
false if the hypothesis of length-independence is removed, even among criteria that 
are ConflictFree- independent. In particular, the derived criterion Deriv^{FL £ ) con- 
tains the horizontal criterion 7i e . This derived criterion is coordinated with itself 
by Theorem 9 in Section 3.4. Define a new signed criterion KF as follows. 

/Cg V = Derive ('H £ ) s , v fl {JiF sw U (18) 

This criterion is shown graphically in Figure 6. 

It follows from definitions that the criterion K £ is symmetric. By Lemma 17 , Fi £ 
and FL~ e are ConflictFree- independent. Since K £ is contained in the union of these 
two sets, KF is ConflictFree- independent as well. However, since Derive flH £ ) is not 
independent of length, neither is the signed criterion IFF. If -<ConflictFree sv (v') 
holds, then Tfg.v C an d this inclusion is proper. Thus, the horizontal criterion 
7i £ is not maximal among symmetric, ConflictFree- coordinated, signed criteria. 
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5.4 Three-Dimensional Criteria 

For notational convenience, the mathematical framework presented in this paper is 
illustrated in the Euclidean 2-dinrensional airspace. However, all definitions such 
as those of safety property, conflict resolution algorithm, independence, coordi- 
nation, criterion, etc., and their properties, naturally extend to the Euclidean 3- 
dimensional geometry. The formal development in PVS discussed in this paper is 
both 2-dinrensional and 3-dinrensional. 

As opposed to the rest of this paper, all vectors in this section, e.g., the position 
and velocity vectors of the aircraft s 0 ,Sj,v 0 ,v*, are assumed to be 3-dinrensional. 
Furthermore, U( XjJ/ ) and u z denote the 2-dinrensional and vertical projections of u, 
respectively. When r is a real number, the notation u with [z r] denotes the 
3-dinrensional vector (u x , u^, r). 

In the Euclidean 3-dinrensional airspace, the separation requirement for two 
aircraft is specified by a minimum horizontal separation D and a minimum vertical 
separation H , which is typically 1000 feet. In the relative 3-dinrensional coordinate 
system, the separation requirement is represented by a cylinder of radius D and 
half-height H around the intruder aircraft. A loss of separation between two aircraft 
occurs when the ownship enters this cylinder, i.e. , when the following inequalities 
hold 


II (®o ®i)(o;,j/)|| ^ D, 

|(s G Sj)^| H. 

A conflict in the 3-dinrensional airspace is defined as a projected loss of separation 
and is formally defined by the predicate 3 D Conflict. 

3D Conflicts, v) = 3 t > 0 : ||(s + t v)( XjJ/ )|| < D and |(s + t v) 2 | < H, 

where s = s Q — s, and v = v Q — v.j. Therefore, the 3-dinrensional predicate 
3 DConflictFree is defined as follows. 

3 DConflictFree s v (v') = ->3D Conflicts, v'). (19) 

The following lenrnra relates two-dinrensional and three-dimensional conflicts. 

Lemma 36. A 3-dimensional conflict implies a 2-dimensional one, i.e., 

3DConflict( s,v) =>■ Conflict^ S( XjJ/ ), V( XjJ/ )). 

Moreover, 3-dimensional ConflictFree is implied by the 2-dimensional one, i.e., 

ConflictFree S(xy)V(xy) (v[ xy) ) 3 DConflictFree sv (V). 

The parametric predicate 3D ConflictFree is a safety property, i.e., it satisfies 
that for all 3-dinrensional vectors v', 

3 DConflictFree sv (V) 3 DConflictFree_ s _ v (—v'). 
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Furthermore, the complement of 3D ConflictFree, i.e. , the set of vectors that satisfy 
-i 3D ConflictFree, is closed under sum. 

The natural 3-dinrensional extension of the horizontal criterion 7i £ , called 3 DTP , 
is defined as follows. 


3 DUl tV = {v' | v[ x y) e K 


S (x,y) > v (cc,t/) - 


As stated by the following theorem, the criterion 3 DTP satisfies all the properties 
of its 2-dinrensional counterpart TP . 


Theorem 37. The three-dimensional signed criterion 3DTi £ sv is independent for the 
safety property 3D ConflictFree. Furthermore, it is symmetric and sum independent 
for 3D ConflictFree. 


The following theorem follows from Theorem 3 in Section 3.3, Theorem 37, and 
properties of the predicate 3D ConflictFree. 


Theorem 38. The signed criterion 3D ConflictFree is coordinated with itself for 
3D ConflictFree. 

A more interesting example of a 3-dinrensional signed criterion is the vertical 
criterion V £ , which is defined as follows. 

Vg iV = {v ; I (||V( X)J/ )|| =0 and ev' z > 0 and es z > H) 

or 

(let i= if |s 2 | > H then esign(s 2 ) else —1 endif in 

^ip(x,y)i^(x,y)') F 0 and @D(S(x,y)i^(x,y)i ^ 0 and 

let p = (s + @D(s( Xj j / ),V( Xj j ( ),t)v) with [z^-eH] in 
IntersectsHalfPlane( s, V , p, e))}, 


where 


IntersectsHalf Plane{s, V , p, e) = V ■ p / 0 and 

D 2 — s • p 

let t = in 

v' • p 

t > 0 and 

s{s z + tv' z ) > ep 2 , 

Intuitively, the set v consists of vectors v' that solve a predicted conflict by 
maintaining vertical separation when the aircraft are not horizontally separated. In 
the vertical criterion V e , the unit value e represents the two possible regions for 
vertical resolution: up, when e = 1, and down, when e = —1. Figure 7 illustrates 
V £ when e = 1. Reference [12] provides a detailed description of this criterion. 

Lemma 39. The signed criterion V £ is independent for 3D ConflictFree, i.e., for 
all V £ Vf v , 3 D ConflictFree s v (V) holds. 
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Figure 7. Vertical Criterion V 1 


The vertical criterion V £ is an example of an antisymmetric criterion. Further- 
more, it is sum independent for the safety property 3 D ConflictFree. Therefore, by 
Theorem 6 in Section 3.3, the following coordination property holds. 

Theorem 40. The vertical criterion V £ is coordinated with V~ £ for the safety prop- 
erty 3D ConflictFree. 

In contrast to the horizontal criterion where both aircraft have to use the same 
horizontal direction, i.e. , both left or both right, to solve a predicted conflict, the ver- 
tical criterion requires that the aircraft use opposite vertical directions, i.e., up/down 
or down/up, to solve the conflict. 

Theorems 38 and 40 guarantee that the horizontal and vertical criteria are each 
coordinated with themselves for 3 D ConflictFree. However, those theorems do not 
guarantee that the criteria are coordinated with each other. In general, it does 
not hold that two algorithms cr G and cr,; that satisfy, respectively, the horizon- 
tal criterion 3 DTi £ and the vertical criterion V s are coordinated for 3D ConflictFree. 
Theorem 11 in Section 3.4 provides a simple way to combine different criteria, which 
are coordinated with themselves for a safety property P. The composed criterion 
contains vectors in both criteria and is coordinated for P. The following theorem 
provides a criterion C £h,£v , parametric by two unit values £h and e v , that is coordi- 
nated for 3D ConflictFree. 

Theorem 41. LetC £h,£v be the criterion defined as the following set of 3-dimensional 
vectors. 

= Comp(3DTt £ ,V £ ) SiV . 

The criterion C £h,£v is coordinated with C £h ~ £v for the safety property 3D ConflictFree. 

Proof. The results follows directly from theorems 11 (Section 3.4), 37, 40, and the 
fact that the complement of the predicate 3 D ConflictFree is closed under sum. □ 
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Finally, Theorem 41 gives sufficient conditions to show that two, possibly differ- 
ent, 3-dinrensional conflict resolution algorithms are coordinated. 

Theorem 42. Let cr Q and cri be 3- dimensional conflict resolution algorithms. If 
cr Q satisfies C £h,£v and cri satisfies C £h ~ £v , then cr Q and cri are coordinated for 
3D ConflictFree. 

Proof. The result follows from Theorem 2 in Section 3.1 and Theorem 41. □ 

The criterion C £h,£v illustrates the usefulness of composing two criteria using 
Comp. The composed criteria is coordinated for 3D ConflictFree. Since it is 3- 
dimensional, it allows for both horizontal and vertical maneuvers. This criterion is 
at the basis of a standard for guaranteeing implicit coordination of 3-dinrensional 
conflict resolution algorithms [12] in a distributed self-separation airspace concept. 

6 Conflict Resolution Algorithms 

As defined in Section 2, an algorithm that returns guidance maneuvers that at- 
tempt to restore a safety property is called a resolution algorithm. When the safety 
property is ConflictFree , the algorithm is called a conflict resolution algorithm. 

This section provides several examples of conflict resolution algorithms and states 
some basic properties of these algorithms. In particular, the following algorithms 
are described: the Modified Voltage Potential algorithm [8] developed at the Na- 
tional Aerospace Laboratory (NLR) in the Netherlands, an algorithm for track angle 
maneuvers developed at NASA Langley Research Center as part of the Airborne 
Coordinated Conflict Resolution and Detection (ACCoRD) framework [13], and the 
Geometric Optimization algorithm [2] for track angle maneuvers developed at NASA 
Ames Research Center. The main results in this section are that the Modified Volt- 
age Potential algorithm is not ConflictFree- independent and that the track-angle 
algorithms of ACCoRD and Geometric Optimization are ConflictFree- independent. 

6.1 Modified Voltage Potential 

The Modified Voltage Potential [8] algorithm MVP is a conflict resolution algorithm 
developed by NLR in the Netherlands. It takes as inputs the current state vectors 
of the aircraft, i.e., s 0 , Sj, v G , Vj, and returns either an empty set if a resolution is 
not found or a singleton set {v[,}, where v' 0 is a new velocity vector for the ownship. 

The algorithm relies on the function tea, defined in Section 4.3, which gives the 
time of closest approach between the aircraft. The first step of the MVP algorithm is 
to compute the time tca(s, v), where v = v 0 — v;. Then, the algorithm computes 
the relative position of the two aircraft at the time tca(s,v), when the aircraft 
achieve minimum separation. The relative position at this time is s + tca(s, v) v, 
which is denoted s tca and graphically shown in Figure 8. Here, it is assumed that 
the aircraft are currently in conflict, although this is not required for the definition 
of the algorithm MVP. 

In Figure 8, the point s tca is shown at the end of the dotted line. It is perpendic- 
ular to the vector v , i.e., s tC a • v = 0. If s tC a 0, then the algorithm MVP returns a 
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Figure 8. Relative Position s tca at Time of Closest Approach 


velocity vector v' 0 for the ownship such that the relative vector v 7 = v' Q — Vj satisfies 


s + tca(s, v) v 7 = p, 

where p denotes ,, D N s tca . This is illustrated in Figure 9. 

|| s tca|| 

Thus, if tca(s, v) > 0, then w' 0 can be calculated as follows. 


v„ = 


° tca(s,v) 


(p - s) + Vj 


1 . D . 

(m ^s tca -s) + Vi 


tca(s, v) ||s tc 

j c ( |, D n s tca - (s tca - tca(s, v) v)) + Vj 

tca(s, Vj 1 1 Stca 1 1 


D - llstc 


tca(s, v) 1 1 Stca | 
D 1 1 Stca 1 1 

tca(s, v) ||s tca | 


Stca + v + Vj 
Stca T V 0 . 


(20) 


Equation (20) motivates the following definition of the algorithm MVP, which 
returns the empty set if the time tca(s, v) is not positive or the vector s tca is equal 
to 0. 
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Figure 9. MVP's Relative Vector v 7 = v' — v* 


MVP(s 0 , Sj, v G , Vj) = 

let 



Stca = s + tca(s, v) v 


in 


if tca(s,v) > 0 and s tca / 0 then 

D ||Stca|| 

,tca(s, v) 1 1 S tC a 


let V D = 

{ v o} 


Stca + V 0 in 


else 


(21) 


endif 

The next lemma follows directly from Equation (20) and states that the resolu- 
tion maneuver provided by MVP achieves a distance D at the original time of closest 
approach tca(s, v). Unfortunately, as shown by Theorem 44, this result does not im- 
ply that MVP achieves a distance D at the time of closest approach for the resolution 
maneuver, i.e., tca(s, w' Q — Vj). 


31 



Lemma 43. For all s = s G — s j and v = v 0 — Vj, if w' Q E MVP(s 0 , Sj, v 0 , Vj) then 

s + tca( s, v) (v„ - Vj) = — s tca , 

||Stca|| 

where s tca = s + ica( s, v) v. 

The Modified Voltage Potential algorithm MVP is not independent for Conflict- 
Free. In fact, a stronger result can be shown: if MVP returns a vector, then this 
vector is always in conflict. 

Theorem 44. Let s be the relative vector s 0 — s j. If ||s|j > D, Conflicts, v G — Vj) 
holds, and v' E lVVP(s 0 , Sj, v 0 , Vj), f/ien Conflicts, \' Q — vf) holds. 

Proof. The formal proof is based on algebraic reasoning. A geometric, intuitive 
proof of this result is given here. To understand the reasoning behind this theorem, 
consider the diagram in Figure 9, which shows the geometric interpretation of the 
vector \' Q computed by MVP(s 0 , Sj, v 0 , Vj). The triangle formed by the segments 
s, s tca , s tC a, P, and p, s is a right triangle. Since the sum of the interior angles of 
any triangle is 7 r, it follows that the interior angle formed by the segments s tca , p 
and p, s is strictly less than |. Thus, the trajectory from s along the relative vector 
w' Q — Vj is not tangent to the circle. By Lemma 43, this trajectory does touch the 
circle at the point p. It follows that this trajectory must touch the circle at two 
distinct places, and it therefore passes through the interior of the circle. □ 


6.2 ACCoRD’s Track Angle Resolution 


ACCoRD is a mathematical framework for the design and formal verification of 
state-based separation assurance algorithms [13]. The framework is written in PVS 
and includes conflict resolution algorithms for track angle, ground speed, combined 
track angle and ground speed, and vertical speed maneuvers. This paper only con- 
siders the algorithm for track angle maneuvers, which will be denoted ACCoRDtrack e , 
where e is a unit value ±1. The main theorem in this section states that for e = ±1, 
ACCoRDtrack e is ConflictFree- independent. 

The algorithm ACCoRDtrack 2 , where e = ±1, has as arguments the vectors s Q , 
Sj, v G , and Vj. It returns a set of at most two vectors where each one of these 
vectors, say v' ot is a new velocity vector for the ownship such that ||v(J| = ||v 0 ||, i.e., 
v[ represents a track angle maneuver for the ownship. Furthermore, the relative 
velocity vector v 7 = v' Q — Vj is tangent to the circle on the side corresponding to the 
unit value s, i.e., it satisfies LineS olution(s, V , e) as defined in Section 5.3.1. 

If v[ is a track angle maneuver for the ownship and LineS olution(s,v' 0 — Vj,g :) 
holds, then it follows from Lemma 31 that there is some k > 0 such that 

1 1 v 0 1| 2 = || A: tangent_line(s, e) + v j 1 1 2 . (22) 


Equation (22) has the form ||v 0 || 2 = ||fc u + v j 1 1 2 , for a given vector u. It is possible 
to define a function that solves equations of this form for real numbers k. It follows 
from the equation 1 1 v 0 1 1 2 = ||fc u + Vj 1 1 2 that 

0 = ||£: u + Vj || 2 — 1 1 v 0 1 1 2 
= \\u\\ 2 k 2 + (2 Vj • u )k + (||vj|| 2 - | j v o 1 1 2 ) • 
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This is a quadratic equation in k, which has at most two distinct solutions. Each 
one of these solutions yields a resolution vector v' D for the ownship. The solutions 
to Equation (23) are given by - l> +'-'/b L - 4ac, where i = ±1, and 


a = 



b = 2 Vj • u, 
c= Kf - ||v, 


Thus, if b 2 — 4ac > 0 and k = - b + t '/^- iac > ^hen the vector v' a defined by 
v ' 0 = k +v.; satisfies both || v^|| = ||v 0 || and LineS olution(s, v' 0 — Vj, e). This motivates 
the definition of the function track_only_line, which returns a real number. 


track_only_line(u, v Q , Vj, i) = 
let 

a = ||u|| 2 , 
b = 2 Vj • u, 
c = ||Vj || 2 - || Vo || 2 

in 

if b 2 — 4 ac > 0 then 

—b + tVb 2 — 4 ac 
2 a 

else 

0 

endif 


(24) 


The next lemma states that the algorithm track_only_line computes solutions 
for k to the equation V Q = k u + v*, where ||v(J| = ||v 0 ||. 


Lemma 45. If u / 0, then ||v(,|| = ||v 0 || and k u = \' Q — Vj if and only if 

k = track_only_line(u,v 0 ,Vi, i), 


for some i = ±1. 


Using track_only_line, the algorithm ACCoRDtrack £ , which computes track 
angle maneuvers \' Q for the ownship that satisfy LineSolution( s, v(, — Vj,e), for e = 
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±1, can be defined as follows. 

ACCoRDtrack £ (s 0 , Sj, v G , Vj) = 
let 

S S q Si, 

u = tangent_line(s, e), 
k\ = track_only_line(u, v 0 , Vj, 1), 
k ‘2 = track_only_line(u, v 0 , Vj, — 1), 
in 

if k\ > 0 then {k\ u + Vj} else 0 endif 

U 

if ^2 > 0 then {k 2 u + Vj} else 0 endif 

Lemma 46 states that ACCoRDtrack £ resolutions are correct and complete for 
line solutions that are track angle maneuvers. 

Lemma 46. Let s = s G — s * such that ||s|| > D. For all e = ±1, 1 1 v^ 1 1 = ||v 0 || and 
LineS olution(s,v' 0 — Vj,e) holds if and only if 

v' Q £ ACCoRDtrack £ (s 0 ,Si,\r 0l \r i ). 

The next theorem states that ACCoRDtrack £ is ConflictFree- independent. 

Theorem 47 (ACCoRDtrack £ Independence). For all vectors s 0 , Sj, v G , Vj, v^ and 
e = ±1, if 

v' 0 £ ACCoRDtrack 6 (s Q , Sj, v D , Vj) 
and Conflict(s 0 ~ Sj, v D — v*) holds, then it holds that 

ConflictFree So _ SitVo _ v .{v' 0 ~ Vj). 

Proof. By Theorem 29 and Lemma 46. □ 

6.3 Geometric Optimization’s Track Angle Resolution 

The geometric optimization approach to state-based conflict resolution [2] consists 
of algorithms for track angle, ground speed, and combined track angle and ground 
speed maneuvers. This paper only considers the track angle algorithm, which will 
be denoted GOtrackj, where e is a unit value ±1 and / < 1 is a nonnegative real 
number. In the case where / = 1, the algorithm returns a maneuver vector for the 
ownship such that if the intruder does not maneuver, then the resulting relative 
velocity vector is tangent to the circle of radius D around the origin. The unit value 
e corresponds to the side of the circle, from the perspective of the ownship, on which 
this relative vector is tangent, with e = — 1 corresponding to a right tangent and 
£ = 1 to a left tangent. 

The algorithm takes as inputs the current state vectors of the aircraft, i.e., 
vectors s G , Sj, v 0 , Vj. It returns a set of at most two vectors where each one of these 
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vectors, say v' a , is a new velocity vector for the ownship such that ||v(J| = ||v 0 ||, i.e., 
v' a represents a track angle maneuver for the ownship. 

In the construction that follows, it will be implicit that the aircraft are currently 
in conflict. If this is not the case, then the algorithm returns the empty set. The 
main theorem in this section states that GOtrack'). is Conflict.Free- independent when 
the parameter / is equal to 1. 

In order to specify the algorithm, some basic notation and trigonometric func- 
tions are needed. The first of these is the function track, which computes the track 
angle of a vector, relative to true North. It is defined for u/Oas follows. 

track(u) = atan2(u ?/ , u x ). (26) 

Here, atan2(u y , Uj,) is the angle a that satisfies the equation u = (sin(a), cos(a)). 
By convention, track(O) = 0. 

The second function that is needed in the definition of the algorithm takes an 
angle a, which is any real number, and returns another angle, trigonometrically 
equivalent to a, which lies in the interval [0,27 r). It is defined by the following 
equation. 

to2pi(a) = a — 2ir ■ floor ) . (27) 

V27T/ 

It is easy to see that if a G [0, 2tt), then to2pi(a) = a. 

Next, the algorithm GOtrack^ relies on the function angleto, which returns the 
angle from one angle to another. The angle returned by this function lies in the 
interval [— 7r, it). This function is defined as follows. 

angleto(a, (3 ) = to2pi((/3 — a) + 7r) — 7r. (28) 

Here, a and /3 are any real numbers. 

Lemma 48. The angle a + angleto(a, /3) is trigonometrically equivalent to /3 in 
the sense that ( a + angleto(a, (3)) — (3 is an integer multiple of2ir. 

There are various ways to define the function angleto so that it has the desired 
properties. One such property, which has been proved for the definition of angleto 
given in Equation (28), is given by the following lemma. 

Lemma 49. If \a — (3\ < n, then angleto(a , [3) = (3 — a. 

The first step in the algorithm GOtrack^ is to compute the angle change a needed 
in the relative velocity vector v = v Q — v,; in order to achieve a tangent to the circle 
of radius D around the origin. The side of the circle on which the tangent occurs 
is determined by e. The angle a is illustrated in Figure 10 for e = —1 (a right 
tangent), and its value is given in Formula (29). 

If / < 1, then any velocity vector v' Q returned by the algorithm results in a new 
relative velocity vector v 7 = v' 0 — Vj that lies between the current velocity vector v 
and a tangent vector to the circle on the side corresponding to e. That is, the angle 
from v to the vector v 7 is equal to fa. The function x* re v defined below, computes 
the track angle (3 of v 7 . This is illustrated in Figure 11. 
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Xrel( s i v > /, e ) = to2pi(track(v) + fa), 


(29) 


where a denotes the angle angleto(track(v), track(— s) — easin(|j^|-)). 

The next lemma shows that if / = 1, then x* e i computes the track angle of a 
vector that is tangent to the circle, on the side corresponding to the unit value e. 

Lemma 50. If k > 0, (3 = X* e j(s, v, 1, e), and u = k ■ (sin(/3), cos(/3)), then 
LineSolution{ s, u, e) holds. 

The algorithm GOtrackj is defined using the function X* e v Any vector v' Q re- 
turned by the algorithm is a track angle maneuver for the ownship, i.e., ||v(,|| = ||v 0 ||. 
Furthermore, if / < 1, then the relative velocity vector v' Q — v* satisfies 

track(v„-Vj) = X* e ;( s ’ v o - v*, /, e). 

The algorithm GOtrack^ is defined as follows. 

G0track^(s o ,Sj, v G , Vj) = 
let 



P = Xrel( s , v J, £ ) 

in 

if v = 0 or | — | sin(/3 — track(v*))| > 1 then 


else 

let 

e =| — | sin(/0 — track(vj))|, 

|| v o|| 

6\ =P~ asin(e), 

v oi = II Vo 1 1 (sin(0i),cos(0 2 )), 

9-2 = (3 — sign(asin(e))7r + asin(e), 
v o 2 = 1 1 v o 1 1 (sin(0 2 ),cos (d 2 )) 

in 

if s • (v^ — Vj) > 0 then {v^} else 0 endif 

U 

if s • (v(, 2 — Vj) > 0 then {v^} else 0 endif 
endif 


(30) 


The following lemma states that GOtrack^ returns the ownship’s current velocity 
vector when / = 0. 


Lemma 51. If s • (v 0 — v,;) < 0 and v' Q G GOtracfcg(s 0 , Sj, v 0 , Vj), then V Q = v D 
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An important property of the algorithm GOtrack^ is given by Theorem 53. The 
proof of that theorem relies on the following lemma. 

Lemma 52. If v' Q G G0trackF f (s o ,Si,v o ,Vi ) and (3 = x* e i(s,v 0 - v t , f,e), then 

||v,;|| sin(/3 — track(yi )) = ||v 0 || sin(/3 — track(y Q )). 

Proof. By hypothesis, the algorithm returns a nonempty set. Therefore, v ^ 0, 
0 < e < 1, and s • (v^ — v$) < 0, where 

e = | — “li | sin(/3 — track(vj))|, 

|| v o || 

7 r 

6 = (3 — sign(asin(e)) — (1 + i) + iasin(e), 
v o = ||v 0 || (sin(0),cos(0)), 

for some i = ±1. 

Since 9 is trigonometrically equivalent to track(Vg), it suffices to prove that 
e = sin(x* e ;(s, v G — Vj, /, e) — 9). Expanding the definition of 9 and cancelling equal 
terms reduces the proof to the verification of the following equality. 

7T 

e = sin(sign(asin(e)) — (1 + i) — tasin(e)). 

If l = —1, then this equation becomes e = sin(asin(e)), which is trivial. Alterna- 
tively, if i = 1, then sign(asin(e)) |(1 + t) is equal to sign(asin(e))7r, which is either 
—7 r or 7 r. Thus, it suffices to prove that 

e = sin(±7r — asin(e)), 


which is also trivial. □ 

Theorem 53. If s • (v Q — v*) < 0 and £ G0track £ jr(s o , s*, v D , Vj), then 
1- 1 1 v o 1 1 = IKH, and 

2. track(v' 0 - Vi) = x* re l( s ’ v ° ~ v o/’ e )- 

Proof. The proof is sketched here, with the special cases and minor details are 
omitted for brevity. As in the proof of Lemma 52, v/0, 0<e<l, and s-(v^— v,;) < 
0, where 

P = Xre*( s > v >/> £ )> 
e = | — *4 | sin(/3 — track(v,;))|, 

|| v o || 

7 r 

9 = (3 — sign(asin(e)) — (1 + t) + iasin(e), 
v o = II v o|| (sin(0),cos(0)), 

for some i = ±1. The first part of the theorem is proved by simple algebraic and 
trigonometric manipulations: 

|| v oll = ||v o ||||(sin(0),cos(0))|| = || v 0 || \J (sin 2 (0) +cos 2 (0) = ||v 0 ||. 
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The second part of the theorem follows from Lemma 52: 

||vj|| sin(/3 — track(vj)) = |v 0 || sin(/3 — track(v(,)). 

Since 6 is trigonometrically equivalent to track(Vg), by the subtraction property of 
the sine function, 

|| || (sin(/3) cos(track(vj)) — sin(track(vj)) cos(/3)) = 

1 1 v 0 1 1 (sin (/3) cos (8) — sin(0) cos (/?)). 


Therefore, 


tan (/3) = 


| sin(0) - || v* | 
cos(0) — || v* 


sin(track(vj)) 

cos(track(vj)) 


v oy - v iy 


= tan(track(v(, — Vj)). 


It is easy to prove that if w and u are any nonzero vectors where w y ^ 0, u y ^ 0, 
w ^/ w i/ = u x/ u yj s • w < 0, and s • u < 0, then track(w) = track(u). Applying 
this to the vectors (sin(/3), cos(/3)) and v' Q — Vj gives the desired result. □ 


The lemma below follows directly from Lemma 50 and Theorem 53. 

Lemma 54. If Conflicts, v Q — v,) holds and w' 0 E GOtrack\ (s„, Sj, v„, v,.), then 
1 1 v 0 1 1 = || Vq|| and LineS olution(s, v' 0 — Vi,s) holds. 

The next theorem states that GOtrackf is ConflictFree- independent. 

Theorem 55 (GOtrackf Independence). For all vectors s = s D — Sj, v = v Q — Vj, 
and v(, and for all e = ±1, if 

v[, E G0track\(s o ,Si, v c , v*) 

and Conflict^ s,v) holds, then it holds that 

ConflictFree sv fv' 0 — v ? ;). 

Proof. By Theorem 29 and Lemma 54. □ 


6.4 Numerical Example 

This section compares the resolution maneuvers computed by the algorithms pre- 
sented before for a concrete scenario. The algorithms MVP and GOtrackf are imple- 
mented in Python. Java and C++ implementations of ACCoRD’s CD&R algorithms 
are available from http://shemesh.larc.nasa.gov/people/cam/ACCoRD. All the 
implementations use the floating point arithmetic provided by their respective lan- 
guages. 
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cr 

V 0 E cr(s D , Sj, v c , Vj) 

v' G cr(sj, s G , Vj, v G ) 

MVP 

ACCoRDtrack £ 

GOtrackf 

GOtrackf 

2 

(484.50,-127.47) 

(483.99,-135.10) 

(483.99,-135.10) 

(494.00,-91.98) 

(265.49, 77.47) 
(225.13,108.69) 
(225.13,108.69) 
(-154.34,196.67) 


Table 1. Maneuvers From Different Resolution Algorithms 


Assume that D, s G , s v c , and v, are given as follows, where distances are in 
nautical miles (nnri) and speeds are in knots, i.e., nautical miles per hour. 

D = 5, 

So = (0,0), 

Sj = (10,0), 

v 0 = (500,-50), 

V* = (250,0). 

Let s = s G — Sj and v = v D — Vj be the relative position and velocity vectors, 
respectively. In this case, 


s = (—10,0), 

v = (250,-50). 

The time of closest approach between the aircraft is given by tca(s, v) = hours, 
which is about 138.5 seconds, and the distance at time of closest approach is about 
1.96 miles. Since the minimum safe separation D is 5 nautical miles, the aircraft 
are in conflict. 

Table 1 shows resolution vectors computed by the conflict resolution algorithms 
MVP, ACCoRDtrack e , and GOtrackf-, where e = —1, for the given values from the 
ownship’s and intruders’ perspectives. In the case of GOtrackf-, the values / = 1 
and f = \ are considered. The results have been rounded to 2 decimal places. 
According to Lemma 46 and Lemma 54, all maneuvers computed by GOtrackf are 
also computed by ACCoRDtrackL This property is illustrated in the example by 
the fact that ACCoRDtrack e and GOtrackf compute the same track angle resolution 
maneuvers. 

Tables 2 and 3 show the time of closest approach and distance of closest approach 
for the resolutions in Table 1 for the independent and coordinated cases, respectively. 
The results have been rounded to 2 decimal places. In the independent case, the 
distance at time of closest approach is the same from the ownship’s and intruder’s 

perspective. Table 2 shows that in the given scenario, MVP and GOtrackf do not 

2 

achieve separation when only one of the aircraft maneuvers. The fact that MVP 
does not achieve separation is a numerical illustration of Theorem 44, which states 
that resolution maneuvers computed MVP are always in conflict. Table 2 also shows 
that in the independent case, for this scenario, both ACCoRDtrack 6 and GOtrackf 
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cr 

tca(s, v( - v*) 

tca(— s, v' - v 0 ) 

Distance at tea 

MVP 

ACCoRDtrack £ 

GOtrackf 

G0track £ 

2 

118.50 s 
115.39 s 
115.39 s 
129.18 s 

118.50 
98.23 s 
98.23 s 
48.17 s 

4.77 nmi 
5.00 nmi 
5.00 nmi 
3.53 nmi 


Table 2. Time and Distance of Closest Approach (Independent Case) 


cr 

t = tca(s, \r' Q — v') 

Distance at r 

MVP 

87.63 s 

6.83 nmi 

ACCoRDtrack £ 

73.70 s 

6.85 nmi 

GOtrackf 

73.70 s 

6.85 nmi 

G0track £ 

2 

46.34 s 

4.07 nmi 


Table 3. Time and Distance of Closest Approach (Coordinated Case) 


achieve a minimum separation of 5 nautical miles. The fact that ACCoRDtrack £ 
and GOtrackf achieve exactly the required minimum separation is a numerical illus- 
tration of Lemma 46 and Lemma 54, which state, respectively, that ACCoRDtrack £ 
and GOtrackf compute solutions that are tangent to the relative protected zone. 
Table 3 shows that in this particular scenario the resolutions computed by MVP, 
ACCoRDtrack £ , and GOtrackf are coordinated. However, the minimum separation 

achieved when both aircraft simultaneously maneuver according to G0track £ is less 

2 

than the required minimum separation of 5 nautical miles. 

This example suggests that G0track £ is neither ConflictFree - independent nor 

2 

ConflictFree- coordinated. These apparent counterexamples to independence and 
coordination need to be formally verified. It may be that the figures in the tables 
are imprecise due to the effect of rounding errors in the floating point arithmetic 
used by the programming languages where the algorithms were implemented. The 
scenario also suggests that the conflict resolution algorithms MVP, ACCoRDtrack £ , 
and GOtrackf are ConflictFree - coordinated with themselves. However, this numer- 
ical example cannot be considered a proof of coordination. In addition to possible 
floating point error imprecisions, the existence of one scenario where coordination 
holds cannot be generalized to all possible scenarios. The next section provides 
formal, incontrovertible proofs of the coordination properties of MVP, GOtrack^, and 
ACCoRDtrackL 


7 Formal Properties of MVP, GOtrack^, and ACCoRDtrack 2 

This section presents formal proofs of several results regarding coordination of MVP, 
GOtrack)., and ACCoRDtrackL In particular, it is shown that MVP is coordinated 
for Repulsion and that GOtrackf and ACCoRDtrack £ are ConflictFree - coordinated 
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with themselves, with each other, and with MVP. Formal proofs of the facts that MVP 

and GOtrack^ are not ConflictFree - coordinated with themselves are also presented. 

2 

Furthermore, numerical evidence is provided to support the claim that they are not 
ConflictFree - coordinated with each other. 


7.1 MVP is Coordinated for Repulsion 

The proof that the Modified Voltage Potential algorithm MVP is coordinated for 
Repulsion illustrates the use of the repulsion criterion VC defined in Section 5. The 
coordination result for MVP follows from the fact that it satisfies V £ . 


Lemma 56. Let v = v 0 — v* and suppose that Conflicts, v) holds, s+ tca( s, v) v f 
0, and v' D £ MVP(s 0 , s.;, v G , v.j). Then 


where e = — s ignis ■ v^). 


- v.j £ 77 


£ 

S,V’ 


Proof. It can be proved from the definition of MVP that 


1 


— v,: = 


(i 


D 


tca(s, v) ' ||s t 


Stca S) , 


where s tca = s + tca(s, v) v. It is easy to see that tca(s,v) must be positive. Thus, 
by the definition of V s , it suffices to prove the following four conditions. 

1. e s • v 1 - < 0. 

2. s • v < 0. 

3. s • (p^jj- s tca - s) < 0. 

4 £ (w St -- s )-v x <°- 

The first condition follows directly from the fact that e = — sign(s • v^ - ), and the 
second follows from Conflict^ s,v). The third condition follows from the Cauchy- 
Schwartz inequality: 


D . , D 

(s ' Stca) ^ 


Stc 


1 1 Stca | 

= D\\s\\ 
< s • s. 


| Stc 


The fourth condition follows from the facts that s tca • = s • and e s • < 0: 


( D ± D 

IT ®tca s) • v =e(w— 


Stc 


(31) 


< 0. 


The final inequality here uses the fact that D > ||s tca ||, which in turn follows directly 
from Conflicts, v). □ 
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Theorem 57. The algorithm MVP is coordinated for Repulsion. 

Proof. Lemma 56 implies that when the aircraft are in conflict, the algorithm MVP 
satisfies the criterion IZ £ , where e = — sign(s • v^). The result follows from Theo- 
rem 25 (Section 3.3) and Theorem 2 (Section 3.1). □ 

7.2 GOtrackf and ACCoRDtrack 6 are ConflictFree- Coordinated 

This section proves that the algorithms GOtrackf, and ACCoRDtrack 6 are Conflict- 
Free- coordinated with themselves and with each. The proof follows from the fact 
that each of these algorithms satisfies the horizontal criterion Ti £ , defined in Sec- 
tion 5.1. 

Lemma 58. The algorithms GOtrackf and ACCoRDtrack £ each satisfy the horizontal 
criterion TL £ . 

Proof. If v( € GOtrackf U ACCoRDtrack 6 , then by Lemma 54 (Section 6.3) and 
Lemma 46 (Section 6.2), it follows that LineSolution( s, v' 0 — v*, e) holds. The result 
follows directly from Lemma 33 (Section 5.3.1). □ 

Theorem 59. The resolution algorithms GOtrackf and ACCoRDtrackF are coordi- 
nated with themselves and with each other for ConflictFree. 

Proof. This follows directly from Lemma 58 and Theorem 34 (Section 5.3.1). □ 


7.3 MVP is ConflictFree- Coordinated with GOtrackf and ACCoRDtrack 6 


This section proves that the resolution algorithm MVP is ConflictFree - coordinated 
with the algorithms GOtrackf, and ACCoRDtrack 6 . This proof requires that the 
value e is chosen such that es • (v 0 — Vj) -1 < 0. The result relies on Theorem 27 
(Section 5.2). 


Lemma 60. If s = s 0 — Sj , v = v G — Vj , and v' 0 are vectors such that Conflict( s, v) 
holds, s + tca(s, v) v f 0, v' Q e MVP(s 0 ,Si,v 0 ,Vi), and es • v 1 < 0, then v' Q — v Q £ 

H £ . 

' ‘'SjV* 

Proof. Since Conflict( s,v) holds, it is clear from the definition of the function tea 
that tca(s, v) is positive. As noted in the proof of Lemma 56 (Section 7.1), it can 
be proved from the definition of MVP that 


1 


D 


tca(s,v) || s t 


Stc 


- S 


where s tca = s + tca(s, v) v. Thus, 


v o - v 0 = (v' - v*) - v 


1 , D _ x 

tca(s, v) ||s tca || Stca 

1 ( D ^ 
( ii n s tca s) 


— V 


tca(s, v) ||s tca 

D ~ jjgtcajj 

tca(s, v) ||s tc 


tca(s, v) 


(Stca s) 


(32) 


fStca* 
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Since s tC a • = s • v^ - , it can be proved using techniques from linear algebra that 


Stca — 


-es tc 


(-JV 1 ) 


— £ S • V 


( — 6 V± ). 


Further, by hypothesis, the coefficient of the vector -ev 1 in this equation is non- 
negative. Hence, it follows from Equation (32) that there is a nonnegative real 
number r > 0 such that 

v„ - v 0 = r(-ev- L ). 


By Lemma 32 (Section 5), it is easy to see that 7i £ is closed under multiplication by 
a nonnegative scalar, so it suffices to prove that -ev 1 £ This always holds 

and can be proved from definitions using linear algebraic manipulations. □ 


Theorem 61. Let cr be a resolution algorithm such that for all \' 0 £ cr(s„, Sj, v D , Vj), 
v( £ LineS olution(s 0 — Sj, v' 0 — Vj,e), where e s ■ v 1 < 0. The resolution algorithm 
MVP is Conflict-Free- coordinated with cr. 

Proof. By Lemma 33 (Section 5.3.1) and Theorem 27 (Section 5.2), it suffices to 
prove that for all s = s c — Sj,v = v Q — Vj, v' £ MVP(sj, s 0 , Vj, v D ), if Conflicts, v) 
holds, then (v( — Vj) £ This follows directly from Lemma 60. □ 

Theorem 62. The resolution algorithm MVP is Conflict-Free- coordinated with both 
GOtrack[ and ACCoRDtrack E , if e is chosen such that e s • < 0. 

Proof. By Lemma 54 (Section 6.3) and Lemma 46 (Section 6.2), both GOtrackf and 
ACCoRDtrack £ compute line solutions. The result follows from Theorem 61. □ 


7.4 MVP is Not ConflictFree - Coordinated 

Theorems 57 and 61 state, respectively, that the Modified Voltage Potential al- 
gorithm MVP is Repulsion - coordinated and, furthermore, ConflictFree - coordinated 
with any algorithm that computes tangent trajectories to the protected zone. The 
numerical example in Section 6.4 suggest that MVP is also ConflictFree- Coordinated. 
However, as the following theorem shows, MVP is not ConflictFree - coordinated with 
itself. In other words, there exist scenarios where MVP does not achieve separation 
when both aircraft simultaneously maneuver according to the resolutions computed 
by the algorithm. 

Theorem 63. The algorithm MVP is not Conflict-Free- coordinated. 

Proof. To prove this theorem, it suffices to show that there exists D, s G , s j, v 0 , 
Vj, v' 0 , and v' such that Conflict^ s D — Sj,v G — v*), v' D £ MVP(s 0 , s*, v 0 , Vj), and 
v' £ MVP(sj, s 0 , Vj, v 0 ), where Conflicfl s D — Sj, V Q — v') holds. 
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Let D, s 0 , S{, v D , and v* be defined as follows, where distances are in nautical 
miles and speeds are in knots. 


D = 5, 
s c = (0,0.1), 

Si = (\/30.24,0), (33) 

v 0 = (500,0), 

V* = (250,0). 


Simple algebraic manipulations can be used to show that vectors returned by the 
evaluations of MVP(s 0 , Sj, v 0 , v*) and MVP(sj, s Q , Vj, v Q ) are given by 


Vq = (500, 
v' = (250, 


1225 

^30 (24 ’ 
1225 

v/3024 ’ 


(34) 

(35) 


respectively. 

The time at which the two aircraft achieve minimum separation when both 
aircraft simultaneously maneuver is computed by the function tea (Section 4.3), 
and is given by the following quotient. 


, , „ (-v/30.24,0.1) • (250,2450/730.24) 

teals, v_ — V;) = , 

||(250, 2450/v / 304M)|| 2 

245/V30.24 - 250 v/30.24 

“ 250 2 + 2450 2 /30.24 

It can be proved that the distance between the aircraft at this time is strictly less 
than 4.85 nautical miles, i.e. , that the following inequality holds. 


s + tca(s, Vo - v') (v' - v') || < 4.85. 


In contrast to the numerical example presented in Section 6.4, the arithmetic used 
in this proof is exact. Hence, this inequality formally proves that MVP is not Con- 
flictFree- coordinated. □ 


7.5 GOtracki is Not ConflictFree - Coordinated 

2 

In [2], it is claimed that if GOtrack^ is ConflictFree - coordinated with GOtrack^. , 
then f 0 + fi > 1. This section shows that the converse claim does not hold, i.e, the 
fact that fo+fi > 1 does not imply that the algorithms are ConflictFree- coordinated. 
Although it holds for particular values of f Q and fi, e.g., when f a = 1 and f t = 0, it 
does not hold when f 0 = fi = |- 

Theorem 64. The algorithm GOtrachf is not ConflictFree- coordinated. 

2 
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Proof. To prove this theorem, it suffices to show that there exists D, s D , Sj, v 0 , Vj, 

e, vj,, and v- such that Conflict^ s G — Sj, v G — Vj), \' 0 G G0track|(s o , Sj, v G , Vj), and 

2 

v- G GOtrack^ (s *, s Q , Vj, v G ), where Conflict( s G — s i,v' a — v') holds. 

2 

Let D, s Q , s.j, v D , Vj, and e be defined as follows, where distances are in nautical 
miles and speeds are in knots. 

D = 5, 

50 = ( 0 , 0 ), 

. 10 . 

51 = < 71’ ’ 

Vo = (500,0), 

Vi = (250,0), 

£ = — 1 . 


The following equalities follow directly from definitions. 

track(v 0 ) = 

. . 7 r 

track(vj) = -, 

. . 7 r 

track(v 0 - Vj) = -, 

7 r 

Xrei(S) v o Vj, 0, 1) = -, 

* / 1 n 

Xred s ,V 0 -Vj,-,-l) = 

Xrel( S ’ V o~Vi,l,-l) = y. 

Vectors v' a G G0track|(s o , Sj, v G , Vj) and v' G G0track|(sj, s G , Vj, v G ) can be com- 

2 2 

puted as follows. 


v; = (^(l + 3v/5),^v/3(l-v/5)), 
v' = (125,125^3). 


Thus, 

v 'o~ v i = (^(3>/5-l), ~^\/3(l + \/5)). 

The relative velocity vector v(, — v( therefore has a norm equal to 500 knots. Hence, 
the time when the aircraft achieve minimum separation is given by 


tca(s, v' a — v') 


-1 

5002 

1 

50Q2 


( s • (v' - v')) 

625 (\/l5 — -^=). 


The distance between the aircraft at this time satisfies the following inequality. 

II s + tca(s, v' a — v() (v( — v()|| <4.1. 
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In contrast to the numerical example presented in Section 6.4, the arithmetic used 

in this proof is exact. Hence, this inequality formally proves that GOtracki is not 

2 

ConflictFree- coordinated. □ 

7.6 GOtrackf and MVP are Not ConflictFree - Coordinated 

2 

This section presents numerical evidence that the resolution algorithm GOtracki 

2 

is not ConflictFree- coordinated with MVP, not even when e represents the opposite 
direction to the resolution returned by MVP. The result that follows uses values 

returned by an implementation of the algorithm GOtracki and, therefore, may be 

2 

inaccurate. Since those values have not been formally checked in PVS, the following 
result does not qualify as a formal proof. To distinguish this result from all the 
other results presented in this paper, it is stated as a conjecture instead of a lemma 
or theorem. 

The algorithm GOtracki has as a parameter e = ±1, which refers to direction 

2 

(left or right). The algorithm MVP does not have such a parameter, because it returns 
a vector for the ownship that yields a relative velocity vector that passes on the same 
side of the origin as the original relative velocity vector. Thus, when coordination 

is considered between the algorithms GOtracki and MVP, there is only one choice of 

2 

the unit e that could possibly provide coordination. This is the unit that satisfies 
£s • < 0, where s and v are the current relative position and velocity vectors, 

respectively. 

Conjecture 1. The algorithms GOtrack\ and MVP are not ConflictFree-coordinated, 

2 

not even when the parameter e is chosen so that esw 1 <0. 

To prove this conjecture, it suffices to show that there exists D, s 0 , s j, v c , Vj, 

e, v(, and v' such that Conflict( s G — Sj, v G — Vj), v' a G GOtracki (s 0 , Sj, v G , Vj), and 

2 

v' G MVP(sj, s 0 , Vj, v Q ), where Conflict^ s 0 — s i,v' a — v') holds. 

An example is now given that numerically justifies that such a scenario does 
indeed exist. Let D, s 0 , Sj, v G , and Vj be given as in Formula (33) and let e be 
— 1. It is easy to see that es • <0. The vector v' G MVP(sj, s D , v*, v 0 ) is exactly 

defined by Formula (35). A vector \' 0 G GOtracki (s G , Sj, v G , Vj) can be computed 

2 

numerically and is approximately given by 

V 0 « (478.835,143.993). 

In this case, the time of closest approach if both aircraft maneuver, i.e. , tca(s, w' 0 — 
v() , is approximately 0.00654 hours or about 23.544 seconds. At this time, the 
separation between the aircraft is approximately given by 

||s + tca(s, v(, - v') (V Q - v')|| » 4.718. 

Thus, the aircraft are in conflict, and this completes the argument for Conjecture 1. 
The formal development of this argument is tedious although not necessarily dif- 
ficult. The family of Geometric Optimization algorithms use analytical equations 
involving trigonometric functions. Trigonometric reasoning is not currently well- 
handled by state-of-the-art theorems provers. 
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GOtrack^ 

2 

MVP 

GOtrackj 

ACCoRDtrack £ 

GOtrack^ 

2 

X 

X* 



MVP 

X* 


7 

7 

GOtrackj 



7 

7 

ACCoRDtrack e 



7 

7 


Table 4. Coordination of GOtrackf, MVP, GOtrackf, and ACCoRDtrack £ . 

2 


8 Conclusion 

This paper proposed a general mathematical framework for studying implicit coor- 
dination in the context of state-based separation assurance systems. Implicit coor- 
dination has been formally defined before [3,4,6,11]. In those papers, the concept of 
coordination applies to a particular strategy for computing coordinated resolution 
maneuvers or to a specific conflict resolution algorithm. The work presented in this 
paper applies to any state-based separation assurance algorithm and to any type of 
safety property for which coordination needs to proved. 

The framework is illustrated by formally studying coordination properties of 
well-known conflict resolution algorithms such as the Modified Voltage Potential 
algorithm (MVP), the Geometric Optimization algorithm for track angle maneuvers 
(GOtrackj), and ACCoRD’s conflict resolution algorithm for track angle maneu- 
vers (ACCoRDtrack £ ). Table 4 summarizes the main results where the intersection 
between a column and a row refers to ConflictFree - coordination for the given res- 
olution algorithms. The symbol stands for cases where coordination has been 
formally proved in PVS. The symbol X stands for cases where coordination has 
been formally disproved in PVS, i.e., a counterexample for coordination has been 
found and the claim that the counterexample does not satisfy coordination has been 
formally proved in PVS. The symbol X* stands for cases where a counterexample 
for coordination has been found and the claim that coordination does not hold has 
been numerically checked, but the formal proof of this claim is not provided. The 
remaining cases have not been studied, but they could be analyzed in the same way 
as the other cases presented in this paper. 

The framework presented here relies on some physical and operational assump- 
tions. For instance, the airspace is represented by a Euclidean geometry, where 
aircraft fly linear trajectories and maneuver instantaneously. These assumptions 
are common to state-based approaches. They allow for analytical solutions that 
yield efficient implementations. Despite its limitations, state-based CD&R is used 
in the self-separation concept [20] as a backup for more sophisticated separation 
assurance systems. Therefore, state-based CD&R is a critical component of this 
concept. The framework also assumes that resolution maneuvers are computed in 
a pairwise fashion. Although multiple simultaneous conflicts may be rare, they will 
exist and the safety case for a distributed air traffic concept of operations has to 
guarantee that they are correctly handled. Future work in this area will look at this 
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problem. In particular, it will be studied how the criteria concept can be integrated 
into prevention bands [14], a concept that naturally fuses conflict information for 
multiple aircraft. 

In summary, the framework presented here is believed to be a fundamental step 
towards the understanding of how different state-based separation assurance algo- 
rithms can be deployed in the future airspace in a way that they safely interact 
with each other. This framework provides the mathematical basis for an approach 
to self-separation in NextGen that does not rely on a specifically mandated CD&R 
algorithm but on a criteria-based standard for conflict resolution [12]. 

The results presented in this paper have been mechanically checked using an 
interactive theorem prover, which provides strong guarantees that the mathematical 
development is correct. The use of a mechanical theorem prover requires a detailed 
description of the problem and a meticulous proof process. This level of rigor is 
justified by the critical role that aircraft separation plays in the overall safety of the 
next generation of air traffic management systems. 
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